Trust values: Trust has a minimum of three possible values:
+, 0 and -

+ trusted according to policy(+), here
called trust

0 trust value not assigned by either
policy(+) or policy(-), here called atrust and equivalent to the statement "needs zero
trust"

- trusted according to policy(-), here
called distrust

The respective (+) and (-) policies define the extent of trust for each
positive and negative range. The trust value depends on the extent of trust.
The larger the extent, the more you trust (or distrust). However, within
that extent trust (or distrust) is always 100%.

1997 note: This is a work
document for open peer-review and public
discussion. It may change frequently.

Foreword: Trust is the problem. Understanding
human trust is exactly what brought me to that great IT question in 1997:
how
can I trust a set of bytes? My answer, given in this original paper
draft, provided a framework that has been useful in the field of information
security.

The framework allows us to use the concept of trust in a common heterogeneous environment,
comprising humans and machines, where trust is understood exactly as what we humans call
trust (e.g., as expected fulfillment of behavior) and bridges to machines in terms of
qualified information based on factors independent of that information.

We realize that trust is essentially communicable. But trust,
as qualified reliance on information, needs multiple, independent channels
to be communicated. If we have two entities (e.g., a client and server)
talking to one another, we have only one channel of communication. Clearly,
we need more than two entities. It seems unreasonable to require a hundred
entities.

Looking into millennia of human uses of trust, we realize
that we need at least four parties to induce trust (i.e., to communicate
trust in a "clean slate" scenario): (1-2) the two parties in a dialogue, (3) at least one trusted
introducer, and (4) at least one trusted witness. Trusted introducers and trusted
witnesses allow you to build two open-ended trust chains for every action,
the witness chain providing the assurances ("how did we get here?") that
led to action (including the action itself) while the introducer chain
("where do we go from here?") provides the assurances both for a continuation
of that action and for other actions that may need assurances stemming
from it.

I call this principle the Trust Induction Principle: to induce
trust, every action needs both a trusted introducer and a trusted witness.

Please google for "gerck trust" to find newer papers, applications and
also comments by others.

To the weary reader:
The
bottom line: Trust in cyberspace (e.g., between machines) is defined and
is based on the same notion of trust, as a form of reliance, that we have
been using for millennia between humans and in business. Using Information
Theory terminology, this paper defines this notion of trust as: "Trust
is that which is essential to a communication channel but cannot be transferred
from a source to a destination using that channel."

Why is this important?
Why would you need to ever use the concept of trust in communications?

Because you cannot always directly measure, feedback and control everything
that may affect your communications. In the Internet, for example, you
cannot control both sides of a communication channel. You need to use
trust (and the laws of trust!) when it is not possible, or it is not convenient,
to apply the laws of control with their specific requirements for measurement,
feedback, processing and channel capacity.

Moreover, the trust solution
is not some form of "let's start and hope all goes well". The trust solution can be mathematically
defined and embodies laws of trust that are exemplified for open-loop
control in communications, Internet security applications, and human-human,
human-machine, machine-machine dialogue.

This work presents a formal and abstract definition of trust which
allows any number of explicit trust definitions to be derived for different
application areas, such as communication systems, digital certificates,
cryptography, law, linguistics, social sciences, commerce and day-to-day
living -- providing mutually compatible and useful real-world trust models
or trust instances. The paper presents more than thirty of such equivalent
instances, and discusses their general formation rule for qualitative as
well as quantitative uses of the concept of trust. The paper also compares
and contrasts trust with auditing, power, belief functions, probabilistic
models in the frequency and the Bayesian interpretations, fuzzy logic concepts,
surveillance, open-loop control, risk, insurance, information, meaning,
accountability, reasonable reliance, justified reliance etc.
From the discussion, trust emerges as the mathematics of subjective certainty
and precision -- a concept to be further developed in the context of
non-boolean logic over a multivector space in Grassmann Algebra.

Note 2: If the reader wants to initially have a contact with examples
and practical Internet questions, it is suggested to begin reading the
paper by item 4 above.

Note 3: The abstract trust definition presented here is a single,
implicit formal definition that depends neither on instances nor on observers.
The concrete realizations of trust in real-world usage built using the
abstract definition, however, can depend on references and may have many
representations, as discussed.

Note 4: The terminology "real-world models of trust" is used for
all particular instances that are derived from the abstract trust definition,
as representations of it, and which apply to the real-world -- including
the so-called virtual reality or cyberspace.

1. Introduction

Trust -- the next frontier? The conceptual frontier seems to be more elusive
than the physical dimensions of space and time. Since immemorial time,
the concept of trust pervades the religious, philosophical and historical
writings . Branded as "unscientific", trust became the ugly duckling of
science -- utterly condemned to be subjective, imprecise, unreliable ...
even untrustworthy. Now that the Internet provides an example of important,
needed and yet unreachable events, trust is being often mentioned
either as its savior or its nemesis. However, what does trust mean?
What is trust?

This paper will initially focus on the subject of trust in communication
systems -- specially the Internet -- which will allow us to view
trust within the broad picture of information exchange and follow Shannon's
ideas as closely as we can, building a base and a unifying concept for
all other uses of the concept of trust, even in other areas besides communication
systems and Internet certification protocols. In fact, if there is
information being sent or received whatsoever the medium (e.g., by
TCP/IP Internet protocol, by fax, by written messages, by oral messages,
by body language, by field measurements, etc.), whatsoever the communicating
parties in any combination (e.g., persons, cybernetic agents, software,
hardware, etc.), the formalism here described is general enough to
be applied. Communication systems are thus a very intuitive framework
and we can relate several examples to day-to-day experience and humanistic
sciences -- as we investigate the abstract idea of trust and proceed to
model it out of the "common denominator "of all its real-world molds, targeting
a hopefully useful conceptualization of trust.

The first subject is on "modeling of trust" and not on "trust
modeling" -- the second being derived from the first. What I am saying
is that we must first define and understand what trust is (and, possibly,
is not) in the context of communication systems before we go into cryptographic
algorithms and message protocols -- which can serve well either to be a
means of conveying said understanding or, of obfuscating said ignorance!

For example, today's Internet certification protocols such as X.509,
PGP and others, take a leap of ignorance on what trust is and start by
defining means to convey it. Such attitude is not even empirical, it is
indeed arbitrary. To justify this leap of ignorance, standards such as
X.509 have statements to the effect that "... such will be defined in
the CPS, which is not a part of this document." -- as if assumptions
could be defined after the theorems that use them.

This is important for three main reasons:

We want machines to use a well-developed, real-world,
tested, qualified, notion of trust;

We want machines to be useful to us as our agents
in terms of decisions that depend on trust; and

We want the same notion of trust to be communicable
and interoperate among humans and machines.

In short, we want trust in cyberspace (e.g., between
machines) to be based on that same notion of trust, as a form of reliance,
that we have been using for millennia between humans and in business. It
turns out, however, that there is wide disagreement as to what a definition
of trust might be -- even for us, humans. Thus, as my first
task, I share my investigation of what --and what not-- trust might be.
My conclusion is that, even though we all use different trust models, even
though we all decide to rely on a different way, we all share the same
notion of trust. Using Information Theory terminology, this paper defines
this notion of trust as:

"Trust is that which is essential to a communication
channel but cannot be transferred from a source to a destination using
that channel."

We cannot use the same channel for both
the information and the trust for that information, neither sending nor
receiving. A decision to trust a set of bytes (such as someone's name,
a source of a communication, a name on a certificate, a digital signature,
or an electronic record) must be based on factors outside the assertion
of trustworthiness that is contained in that same set of bytes. Likewise,
a decision to trust someone must be based on factors outside the assertion
of trustworthiness that the person makes for himself.

So how does the trust model work? -- This is the
wrong question to ask here! The real question is: "What trust model would
you like to use?" There is a built-in notion of the meta-rules (given by
the trust definition), that any trust model has to follow, but I might
buy a trust model from someone and add that model, design my own model,
or even augment a model that I bought. Different trust models can be used
as long as they conform to the given trust definition.

The problem today is, thus, basic: lack of understanding of trust's
truth conditions cannot allow trust's truth-values to be well-defined,
try as we may. And, such confusion is not a prerogative of
today's Internet security protocols, as McKnight and Chervany show in their
extensive study on the meanings of trust [McK96]
in several other areas. It exists in all other areas where the concept
of trust is used, such as in management, interpersonal relationships,
business relationships, security policies, etc. And,
cannot be solved by just positing a behavior for trust -- since trust is
a fundamental concept both used and useful in the real-world as we can
see by its widespread application in all cultures and respective law systems.

While the paper oftentimes uses humans to exemplify
notions of trust, it is not relevant if there is, or there is not, a human
in control of an end point, a machine or some software. It can very
well be another machine. Trust is defined in such a way that its usefulness
is no longer limited to human communication.

2. The Real-World Model of Trust

"If the world were really random, chemistry, cooking,
and credit would not be possible, so our models cannot be figments of our
imagination." [Che90].

Fifty years ago, Shannon was faced with a problem: he needed to define
the concept of information, but in a way which would allow its unambiguous
use in communication engineering while still conserving a real-world significance.
Preceded by the efforts of Szillard [Szi29], who in
1929 identified the unit or "bit" of information when dealing with
entropy and the Maxwell's Demon problem in Physics, by Hartley in 1928
[Har28] and by Nyquist [Nyq24]
in 1924, he took a different approach than just positing a behavior for
information. Let us follow his steps in Information Theory [Sha48],
with has found applications in several areas including his own ground-breaking
paper onCryptography [Sha49]. As commented in
[Ger97]:
"In Information Theory, information has nothing to do with knowledge
or meaning. In the context of Information Theory, information is simply
that which is transferred from a source to a destination, using a communication
channel. If, before transmission, the information is available at the destination
then the transfer is zero. Information received by a party is that what
the party does not expect -- as measured by the uncertainty of the party
as to what the message will be."
Shannon's contribution here goes far beyond the definition (and derived
mathematical consequences) that "information is what you do not expect".
His zeroth-contribution (so to say, in my counting) was to actually recognize
that unless he would arrive at a real-word model of information to be used
in the electronic world, no logically useful information model could be
set forth!

Now, in the Internet world, we have come to a standoff: either we develop
a real-world model of trust or we cannot continue to deal with limited
and faulty-ridden trust models that treat trust artificially and objectively,
as the Internet expands from a parochial to a planetary network for e-commerce,
EDI, communication, etc. We must be able to fully handle trust and all
its subjective and intersubjective aspects.

And, what would be a "real-world model of trust" for communication systems,
e.g. the Internet world? Akin to Information Theory, the concept
of trust in communication systems must have nothing to do with friendship,
acquaintances, employee-employer relationships, loyalty, betrayal and other
overly-variable concepts. Here, trust is not to be taken in
the purely subjective sense either, nor as a feeling or something
purely personal or psychological -- trust is to be understood as something
potentially communicable. Further, if trust must bridge different instances
and observers, otherwise communication would be isolated in domains, then
all different subjective and intersubjective realizations of trust must
depend on some common, basic and abstract idea -- an archetype in some
terminologies. As used in the context of Generalized Certification
Theory [Ger98a] trust is, simply:

"trust is that which is essential to a communication channel but
cannot be transferred from a source to a destination using that channel".

This is a formal and abstract definition of trust. It defines
trust by the properties it obeys, without citing any context, without even
providing an example we could denote -- it does not provide a value, only
behavior. Thus, the given definition achieves the broadest possible conceptualization
of trust, since it is both environment-invariant and observer-invariant
(environment and observers are abstract). But, we expect it to contain
the seed-thought or root-idea of trust. In other words, we expect it to
contain trust's implicit truth conditions for any explicit trust application
we may need, from the social scenario to automatic communication processes.
This should afford an unified "gist" of trust to be perceived in all applications
-- which we also expect to be close to the real-world gist of trust.

The author considers (and the paper shows) that an abstract
definition is much more general, and preferable, than an explicit definition
that would depend on a particular set of environment assumptions.
The different environment assumptions then represent nothing more than
different stances for the abstract definition of trust, not different concepts
of trust. Semantically, the abstract definition of trust is
a logical proposition which is assumed to contain the Fregian [17]
seed-thought for the full concept of trust, which then unfolds as explicit
truth-conditions when applied to each practical stance, which, in turn,
may provide different truth-values to each observer. In other words,
the abstract definition is fully abstract -- so, it can be behind all different
truth-values one may derive from the concept of trust, for each observer
and in each case. Accordingly, the abstract definition for information
is defined to be "that which is transferred from a source to a destination,
using a communication channel" [Ger97], which may
highlight the differences and similarities with the given definition of
trust, above -- and also does not use any a priori uncertainty models.
Mathematically, the author views an abstract definition as an abstract
class, which can be represented by appropriate operators in almost any
number of formalisms or stances, that may not be isomorphic to one another
and which can be calculated in specific reference frames or observer coordinates.
Such operators do not have to be transformable into one another and can
directly yield final values -- which operators and values, clearly, may
be very different as a function of formalism and reference frame but which,
nonetheless, result all from the same abstract class.
Application of the abstract definition leads to explicit definitions, each
of which needs an explicit stance and explicit observers. For example,
to apply the abstract trust definition to certification, one only needs
to see a certificate as a secure communication channel between the parties
in the dialogue, past and present -- also including third-parties such
as a CA. To apply it to other areas, one only has to recognize what the
communication channel is and what is essential to it -- as viewed by an
observer. In other words, we are now at liberty to define any number of
concrete trust models (i.e., explicitly model ling a particular situation
at hand, to the best effort) that conform to our one abstract model of
trust (i.e., the abstract trust definition). For example, more than thirty
different explicit trust models are derived in this work, as examples,
but many more are possible. It is important to note that the observer can
be either party, both, none (i.e., can also be a third-party) or several
in several combinations.
If there is no communication channel from the
outside to the system, then the system views itself as isolated and it
is not possible for the system to have any trust besides self-trust --
i.e., an isolated system can only have self-trust because it only communicates
with itself, past and present. The outside world may however receive communications
from the system -- which can allow the outside world to have trust in regard
to an isolated system. See the definition and discussion on self-trust.So, using the definition of trust just given and moving
toward an understanding of the definition by using examples, when a lion
communicates with a lamb the lion does not need to receive any transfer
from the lamb besides that which is communicated in the channel itself,
whereas the lamb needs to know whether the lion is hungry -- which
is not information and which cannot be transferred in the same channel.
If such data were information, then it would be new to the lamb (sorry,
ex-lamb, now food). If such data would be transferred in the same channel
how would the lamb know that the lion was not lying?
This example shows the interplay between trust and power.
A very large difference in power, of one agent over another, implies that
the more powerful agent can offset and control the other agent to such
a degree that the other agent's actions are immaterial, even if the actions
are already occurring -- hence, no trust on the least powerful agent is
needed in such case. On the other hand, the least powerful agent needs
trust on the other agent's behavior, since it cannot offset or control
the other agent's actions in any degree -- it needs to know with high reliance
what the other agent's actions can be and, in some cases, what they cannot
be, before they happen. One example of the interplay between trust and
power was observed in history when the sea explorer Vasco da Gama circa
1498
opened the first commercial route from Europe to India by sea and used
the mutual exchange of "willfull-hostages" (the old version of ambassadors)
to physically warrant with their lives the mutual contractual obligations
in the bilateral merchant agreements [Mein98].--
since this was done because there was no initial mutual trust. The current
diplomatic action of recalling one's ambassador, considered diplomatically
to be a strong exterior sign of disagreement between countries, has
its roots also in the early use of ambassadors as willfull-hostages subject
to physical retaliation (as ambassadors have been jailed and killed because
of political/mercantile disagreements, even in the recent past) -- notwithstanding
the consideration that it is deeply illogical to disrupt a communication
channel (i.e., that uses the ambassador as the trusted carrier) exactly
when the channel is mostly needed. Further, ambassadors are an anthropomorphic
example of the fact that trust is indeed the carrier of information, not
the other way around, as this paper discusses in Section 4.
Thus, loosely speaking, "information is what you do not expect"
and "trust is what you know". Linking both concepts, "trust is qualified
reliance on received information". We have thus used the abstract definition
of trust and built the first two explicit definitions of trust, albeit
in a very much simplified context and using an anthropomorphic metaphor.
"To make progress in understanding all this, we probably
need to begin with simplified (oversimplified?) models and ignore the critics'
tirade that the real world is more complex. The real world is always more
complex, which has the advantage that we shan't run out of work." [Ball84].
All these considerations can now be viewed non-anthropomorphically
when dealing with the concept of trust in communication engineering and
security design -- i.e., using the given abstract definition of trust and
applying the same reasoning to computable processes. For example to understand
how software agents could benefit from similar concepts and strategies.
Further, the importance of the anthropomorphic metaphor used in this work
is to provide a class of test examples that are a priori observable
(i.e., exist at least once), describable, decidable, finite and possible
-- without being necessarily causal, ergodic, reversible, deterministic,
probabilistic, etc. This may motivate the reader as to the engineering
usefulness of some apparently philosophical passages in this work and
to their direct application in several areas of work, when properly instantiated.

As a better approximation to the definition that "trust is what you
know" in the anthropomorphic metaphor, consider that "trust is what you
know you know you know" -- i.e., the lamb not only needs to know (i.e.,
be aware of, can spontaneously recall) that it knows the lion is not hungry
but must also be able to know how to act upon that knowledge. At the human
instance, this means that you cannot use your 'prior knowledge' (i.e.,
what you know you know) in order to do anything, unless you also know about
the applicability of that 'knowledge'. The extension to software agents
is immediate; for example a trusted mobile agent may not be trusted as
a function of changes in its operating platform (the pragmatics used) --
even though the platform itself may be secure and expressible enough --
if you have no evidence of that.

Trust and information are to be understood thus as two cardinal properties
of communication systems -- their interplay affording new modes of communication
(to be dealt with elsewhere), for example allowing meaning (semantics
in semiotics) to be relinked with names (syntactic in semiotics) at the
receiver side [see [A.4.3].

The issue here is that not only "what" but also "how"
should be user-definable if we want the Internet to transport syntactic
(e.g., references or names in ASCII text) as well as semantics (e.g., meaning),
which are linked ex-transport by user trust -- i.e., not in the same
channel timewise but can use different time slots for transport .

The second explicit trust definition given above will now be cast
in equivalent Information Theory terms. Here, I also exemplify a second
derivation method. Instead of using the abstract definition directly, it
is possible to begin with the already derived expression "trust is qualified
reliance on received information" and concretely specify the observer,
the observed and the existence of a (yet unnamed) reliance metric -- deriving
another explicit definition of trust as "that which an observer knows about
an entity and can rely upon to some extent".

To proceed, we can now specify the reliance metric and its applicability.
First, I note:

(i) "that which an observer knows and can rely upon to some extent"
can be modeled in Information Theory as an estimator with variance as small
as desired, which estimator by an observer (quasi-zero variance),
that has measured the expected unsupervised behavior (i.e., unsupervised
by the observer) of an entity and,

A note on quasi-zero variance. The prefix "quasi" means
"as if", "approximately". Thus, the term "quasi-zero" is used to illustrate
two important points: (i) quasi-zero means "approximately zero" and represents
a positive value which is as close to zero as desired by the observer,
(ii) the amount of "closeness" is subjective and is defined by the observer.
Thus, "quasi-zero variance" means a variance that is "as if" it were zero
to the observer -- i.e., so small that is considered to be zero to
the observer, which however could be considered large to another
observer. The same applies to the term "high-reliance" to be used
later on in the exposition, where "high" means as close to 100% as desired
by the observer -- however, possibly different for different observers.
In both cases, one is enforcing the concept of high-reliability -- while
high-accuracy is dealt with by the proper extent of "matters of x".
(ii) the abstract definition depends on an abstract temporal or event
clause -- trust must be defined at some time T in relationship to
the communication process itself.

The next explicit definition is thus "trust is that which an observer
has estimated with quasi-zero variance at time T, about an entity's (unsupervised)
behavior on matters of x". Note that the word "estimated"
does not mean probabilistically, but is linked to any estimation or inference
process in general -- such as by using inference, deduction, computability,
probabilistic theories, constraints, etc., and also in combination. Hence,
an observer can rely upon an estimator that it has obtained in the past
in order to predict future unsupervised behavior of the entity regarding
matters of x -- because the estimator has an expected quasi-zero variance.

Thus, trust can be described by a "Non-Probabilistic Inference Model
of Trust" (NPIMT). Of course, "non-probabilistic" does not mean that probability
is not used in the trust model -- as explained above.

The underlying concept of this model of trust is that of justification.
It is not essential to this model of trust whether a natural or logical
connection exists between trust and justification. Of course, the use of
probability or deductive-logic may serve to raise the level of justification
for a subject matter, when compared to a natural connection that is simply
observed.

Justification defines the context of trust for the truster. In other
words, justification defines the context of a relying party's (RP's) reliance
[9].
It's easy to say that a truster's justification of trust, or a RP's justification
of reliance, is a matter of need. But this is not quantitative. If we are
to make some progress in this, we need to define those needs as degrees
or levels -- i.e., in terms that we can identify their differences and
their required trust models. Thus, it all hinges on the definition for
justification, as a metric function that decides what is justified and
what is not. Which definition can be changed as needed, even for the same
person in the same trust act (this might sound strange but is very
much needed as we usually deal with more than one person/company at a time
even for one transaction --e.g., buying, paying, delivery, maintenance,
etc.). All these definitions, however, must interwork in terms of meaning.
It is not enough that they interoperate syntactically.

I now introduce the concept of "best justification" as that justification
level which leaves the truster with no doubts. This is consistent with
the idea that trust (or distrust) is always 100%, what changes in
value is the extent of trust that is chosen by the truster. Likewise,
the extent of the doubts that must be satisfied in "best justification
" is chosen by the truster.

To simplify, let us begin with the following five reliance levels, from
weaker to stronger, for a truster (or RP):

(0) What the truster relies upon without any consideration
of "why" and without any recourse. It is a subjective metric, here called
"open reliance".

(1) What the truster relies upon without any consideration of "why".
It is a subjective metric, also called "actual reliance", similar to the
same concept in law.

(2) What the truster relies upon because it is presented by a party
accepted by the truster for that purpose. It is a intersubjective metric,
usually called "authorization reliance", similar to the same concept in
law.

(3) What the truster as a reasonable man might do, with all prudence
that might be reasonable to use. It is an objective metric, also
called "reasonable reliance", similar to the same concept in case law
which establishes it as an objective test given by "what would
be reasonable for a prudent man to do under the circumstances".

(4) What can be justified by the truster after an examination of the
facts presented. It is a subjective metric, also called "justified reliance",
similar to the same concept in law.

Another example might be what a fair random process might choose, given
all possibilities. This is an objective metric, here called "statistical
reliance", similar to the same concept in law, used in lotteries, auditing
and some payment systems for example. Yet another example might be what
has been verified with some chosen technology, but only automatically.
This is an objective metric, here called "process reliance", and can be
useful for security-automated processes.

"Best justification" is a conceptual metric for certainty
in the truster's terms. Of course, equal metrics will make matters
easy when dealing with different trusters, but unequal metrics (i.e., different
"best justifications") can be handled well provided the link between both
metrics is known (the link is another metric). I also note that "best justification"
allows subjective, intersubjective, objective or mixed metrics to be used.

- "matters of x": description of expected action, action/reaction or linkage
in a setting, in terms of the truster and confined to the largest extent
that still fits in the "best justification" metric [A_3].

"Matters of x" is a conceptual metric for accuracy in
the truster's terms. It defines conformity to what the truster expects
to be certain. "Matters of x" defines a model that will be used by the
truster to locally represent the trustee's remote and unseen actions, actions/reactions
and linkages. It is not a perceptual metric and its usage does not depend
on perception -- i.e., it is used when there is no perception. When measurements
are not possible, one needs to use trust.

- "epoch" or only "time": space, time, events, agents, persons, objects
or a set thereof in terms of the truster, which define a setting for "matters
of x" and for "best justification", such as: initial date, expiration date,
revalidation date, usage periods, number of times used, event trigger,
distance data, environment data, language specification, network protocol
specification, platform used, physical network used, location, users, etc.,
either as a single point or as a sequence of points.

"Epoch" is a metric for reliability, as it defines not
the extent of "matters of x" but the extent to which it can yield the same
results -- its reliance context in space and time. It is a subjective perceptual
metric, and, to be useful, implies a precise model. The set of all
possible epochs is called "pragmatics" in semiotics.

- "entity" or "trustee": person, agent, object or a group thereof on which
"matters of x" logically or naturally depends, in terms of "best justification"
as seen by the truster and within the "epoch".

"Entity" is a metric for accountability, as it links
cause with effects within a given environment. It is a subjective perceptual
metric.

and define, in terms of a truster and trustee (entity):

- "trust-point": matters of x, for a given entity and epoch.

- "trust": (noun) a linked collective of trust-points

- "to trust": (verb) to rely on trust

- "A trusts B on matters of x at epoch T": a boolean trust-proposition,
which is either true or false.

Now, I note that "to rely" is an essential aspect of trust as a verb,
since A cannot trust B on matters of x at epoch T unless A actively relies
on that trust-point. I also note that when the definition says that "to
trust" is "to rely on trust" this does not imply circularity because "trust"
is used as a previously and independently defined noun in order to define
the verb "to trust". Further, to compare with matters of law, the usual
legal concept of "reasonable reliance" is understood [SCUS]
to be an objective legal standard for collective evaluations (such as by
a jury) while "justified reliance" is understood [SCUS]
to be a subjective legal standard more generally acceptable for evaluating
individual actions -- which makes "subjective reliance" in law very similar
to the concept of trust based on the metric of best justification, as given
above.

Which means that trust is not auditing -- trust is that which can be
relied upon without surveillance by the observer (possibly because it cannot
be measured due to physical, secrecy, cost, time or other difficulties).
It is also possible for the observer to indirectly and anonymously
gather sufficient information to define a suitable estimator for the entity's
behavior on matters of x, without any contact with the entity itself --as
when using a trusted proxy (which, however, depends on a primary trust
relationship with the proxy). Further, the observer can also use the measured
estimator at time T to analyze past behavior of the entity (i.e., before
time T). So, the estimator can be seen as a quantitative forward- and backward-predictor
for the acts of an entity regarding matters of x, when that entity is not
supervised by the observer.

The next three paragraphs touch upon a large difference between the
technical use of "trust" (as defined) and "trust" in the social and linguistic
domains. The difference is not on the meanings of trust, which remain equivalent
also with the considerations below, but how to represent different degrees
and extent of trust. The exposition presents a method (based on full atomic
qualification) which is precise and compact, well suited both for technical
as well as for non-technical use -- however, perhaps too formal for every-day
use. As the second paragraph shows, such "poetic" and "every-day" use of
trust also wrongly permeates security work or communication protocols --
rendering trust concepts difficult to use, because ill-defined. This may
explain trust's "bad name" as a difficult concept, perhaps even as an overly-loaded
terminology. The problem is not however in the concept of "trust" by itself,
but in using wrong trust quantifiers. The third paragraph extends
the method (i.e., based on full atomic qualification) to the questions
of defined versus undefined trust, allowing indeterminacies to be resolved
in a simple and intuitive way.

To represent degrees of trust, the estimator's (quasi-zero) variance
is not allowed to change, because such would not be a useful model (see
next paragraph). Rather, without loss of generality, the estimator is kept
at quasi-zero variance but its reach (e.g., as given by matters of x) is
increased to reflect a higher degree or decreased to reflect a lower degree
of trust. This is similar to the mathematical procedure of finding an area
under a curve that represents near 100% reliance (i.e., quasi-zero variance)
on matters of x. In other words, we regard the issues of reliability
and accuracy as two fully independent variables: (i) high-reliability
is demanded as the primary parameter and is reflected in the estimator's
quasi-zero variance or high-reliance, (ii) accuracy is measured
by the extent of "matters of x" that still allows high-reliability. Thus,
if the observer has no trust on the observed entity, then x is the empty
set (i.e., 100% reliance on nothing represents zero area under the curve
-- or, no trust). As the observer increases its degree of trust on the
entity, then the estimator becomes more and more complex and represents
an enlarged set of matters of x for which the entity can be represented
with quasi-zero variance (i.e., with near 100% reliance) -- i.e., achieving
more accuracy for the predictions, but without sacrificing reliability.
This means that trust can also be defined explicitly by "trust is that
which an observer has estimated with high-reliance at epoch T, about an
entity's (unsupervised) behavior on matters of x".

Oftentimes, some trust models, risk management policies and security
policies try to qualify degrees of trust with concepts such as "partial
trust", "marginal trust", "fully trusted", or by defining multi-level
logic with rules for majority voting and precedence. That is done
to try to convey the idea of how well can "trust be trusted" -- which
easily leads to circular truth conditions and undefined statements.
For example, does "partial trust" mean increased unreliance on the expected
outcome, on the expected model for all possible outcomes or a reduction
on the model's scope? Partial in relationship to what? Thus,
such trust "qualifiers" are unable to address atomic qualities in the trust
concept and just operate, at most, as a collective qualitative indicator
from that particular observer's viewpoint. The author takes the stance
that no qualifiers whatsoever (i.e., partial, marginal, complete,
bad, good, large, small, minimum, maximum, etc.) should be used with the
word trust because they are neither well-defined, quantitative nor needed.
Further, they introduce an additional layer of intersubjective concepts
and they decrease the semantic importance of the word trust itself. Instead,
it is better to recognize that the concept of trust has already by
itself such qualifiers "built-in" in its own qualifier "matters of
x" -- which can however include the atomic qualities which are unaddressable
from without. To exemplify, compare the phrase "Bob has partial trust that
Alice will not receive a ticket for speeding" with "Bob trusts Alice on
matters of x", where "matters of x" is "Alice may receive tickets for speeding".
The same thought is expressed in both phrases but the last phrase allows
a precise answer to the question "What is trusted?" and can thus be directly
applied in appropriate predicate calculus. The last phrase can also
easily lead to a quantitative and atomic treatment, when Bob has
more knowledge on Alice's behavior and may be able to define "matters of
x" as "Alice receives tickets for speeding with a 10% chance every time
she drives at night, with a +-5% absolute variance". It is
not necessary either to define distrust or lack of trust, because distrust
is simply the atomic negation of a particular matter of trust, which can
be as extensively negated as we need, e.g. in "Bob trusts Alice on matters
of x" where x is the null set -- so that effectively Bob trusts Alice on
nothing. However, trust can be negative as when you affirm
that you trust someone to be untrustworthy. Further considerations on these
issues are given below and in the discussion on matters of
x.

Still on the question of degrees of trust, it is also customary to discuss
"unqualified trust" versus "qualified trust" -- with expressions such as
"Alice trusts Bob" being "unqualified trust". This paper takes the
stance that such expressions are dubious, are not necessary and should
not be used in technical work (albeit possibly useful in poetry) -- for
example, in "Alice trusts Bob" is "matters of x" unknown, abstractly defined
by Alice or, is x the Universe set? As explained in the former paragraph,
the built-in qualifier "matters of x" has to be recognized and its truth-value
must be defined in the trust proposition -- e.g., by defining "x" in "Alice
trusts Bob on matters of x". Thus, if one means that Alice trusts Bob on
all matters then this can be expressed by using "x=U", where U is the Universe
set. Or, if one means that its value is abstractly defined by Alice then
one uses "x=Alice" and this means that Alice defines what Alice trusts
on Bob. If "matters of x" is unknown then one uses "x=0" where "0" is the
null set -- i.e., trust on the unknown has a null set of trusted
matters. This standard usage allows a precise statement of the trust proposition,
clearly a need for precise calculations, which is natural and easy to define
in the presented formalism. As a special case, it is however useful to
define that "Alice trusts Bob" necessarily means the case
with x=U -- which matches the intransitive usage of the verb trust, as
"In God we trust". Thus, without a "matter of x" qualifier, an unambiguous
and intuitive use of the trust proposition "A trusts B" should imply that
the qualifier x must be equal to the Universe set.

It is instructive to view trust as an open-loop control process,
in control theory terminology -- i.e., a control process which does not
rely on a closed feedback loop in order to achieve its purposes. This comparison
allows one to recall the advantages and disadvantages of open-loop control
(e.g., trust) vis-a-vis closed-loop control (e.g., close surveillance)
and apply them to the case at hand. In control theory, the basic parameter
to measure performance is position-error -- which translates here to
the trustee's actual response as compared to its expected or estimated
(i.e., trusted) response. In open loop-control, one method frequently used
to decrease position-error is to introduce periodic checks of any convenient
system variable, not necessarily the control variable. This is equivalent
to the well-known dictum: "trust but verify" -- implying the need
for a pre-defined policy of checks and balances that can periodically adjust
the trust estimator as a function of observed behavior. Further interesting
qualities of trust over close surveillance can be exemplified by the mentioned
control theory analogy, regarding the main advantages of open-loop control
over closed-loop control: simpler systems (hence, less cost and better
fault-tolerance), immediate response (i.e., nothing needs to be measured
in order for it to operate), easier design (e.g., avoiding probable but
unknown pitfalls of complex designs), easier interfacing (i.e., suffers
and exerts less influence on the rest of the system), modular design (i.e.,
complete and interchangeable), cheaper, etc. Thus, trust can
also be explicitly defined as "trust is an open-loop control process
of an entity's response on matters of x" or, less precisely but
more concisely, also as "trust is to rely upon actions at a distance".

Trust on an entity cannot be viewed as a consequence of insurance or,
as often wrongly expressed "It's not about who you trust, but who backs
and indemnifies the context of the trust" . The use of insurance
always signals lack of knowledge -- so, clearly, it cannot
replace it, it cannot replace trust. Further, there is no insurance
needed for a sure event and there is no insurance possible for a sure risk.
To exemplify another problem caused by such understanding, if a truster
(e.g., a CA subscriber that trusts the CA) is going to for pay insurance
to cover his liabilities and the trustee's (e.g., CA's liabilities)
-- which is what it would amount to if trust would be based on insurance
because the bill has to end somewhere -- then responsibility has
gone full-circle and is now only in the truster's hands -- both to get
adequate coverage and to pay for it. While the trustee (e.g., the CA) has
zero risk. However, that does not solve the risk problem for the
truster either, if the trustee's acts may affect third-parties
-- such as when a CA's (i.e., the trustee's) certificate is issued
for a CA subscriber (i.e., the truster) but will be actually used by a
generic user (i.e., a third-party) to certify the subscriber. Here,
one cannot make the whole world sign up one huge insurance policy -- so
the truster and the trustee may be protected by the insurance policy that
the truster has bought with their names as beneficiaries but that
does not protect a generic third-party (ie, the rest of the world) that
may rely upon the trustee's acts on behalf of the truster (e.g., the certificate
issued by the CA and purportedly including the intended subscriber's correct
data).

Trust is not to be confused with accountability -- as sometimes expressed:
"for e-commerce, trust is pretty well irrelevant and what you need is accountability".
Indeed, the interplay between trust and accountability is sometimes difficult
to delineate. But, here, logic can help. Suppose you have the information
that A is accountable on matters of x. Can this information be trusted?
So, trust is the vehicle, the carrier for accountability.

Trust is not belief but may be expressed in terms of belief. As one
can derive from the work of Dempster and Shafer [DS97],
[Ger97], "belief is the probability that the evidence
supports the claim". Thus, belief can indeed be used to gauge reliance
on a trust-point, i.e., to verify if "matters of x" really represents "well
enough" the entity's actual behavior vis-a-vis the evidence. If one uses
the concept of belief, then trust can be defined by "trust is received
information which has a degree of belief that is acceptable to an observer"
-- which is linked to the concept of local knowledge in [Ger97],
hence "trust is knowledge acceptable by an observer".

Trust is not probability, neither in frequency nor in Bayesian interpretation,
but may be expressed in terms of probability in either case. The frequency
interpretation suffers from the "objective" aspect it assigns to probability
and from a strong dependence on past events -- while trust is subjective
and may suffer an abrupt transition to zero in one event. In the Bayesian
interpretation, even though one can compare Bayes-belief between different
events and such belief is subjective, "Bayes-knowledge" gained from recent
events and knowledge assumed from prior events cannot be treated as members
of the same set of "knowledge". Thus, "new trust" would be essentially
incompatible with prior trust, under Bayes. For example, "new trust" would
need to be binary and could not be learned unless a non-zero probability
for it already existed. Difficulties in the belief revision aspects of
Bayesian probability are important here, as discussed in the literature
for example by Wang [Wan93]. Further,
some aspects of trust imply conceptual coherence, while probabilities
only describe perceptual coherence. For example, if I have a formula that
can purportedly calculate any n-th digit of pi in base-16 (the Bailey-Borwein-Plouffe
pi formula), then my trust in this formula depends on its conceptual coherence
with the underlying mathematics. Which trust can justify my reliance on
all its possible perceptual outputs even though I cannot perceptually measure
all of them (i.e., I cannot verify all the infinite digits of pi that the
formula can predict, to see whether they are true or not).

As initially defined by Wally [Wal91] but modified
here in order to disambiguate imprecision from randomness and uncertainty
from outcome prediction, the terms uncertainty and imprecision
can be used to highlight different aspects of models. I define that a model
is uncertain if we cannot make statements about a single outcome, or certain
otherwise. The binomial model for flipping a coin is a good example of
an uncertain model, as we cannot predict a single flip, even though we
are sure that half of the tosses should come up heads if we wait long enough.
A model is imprecise if we cannot predict the long run behavior, or precise
otherwise. For example, we may have insufficient information about the
failure rate of a component of a new car type, in order to make a precise
model. Using this terminology together with the usual definitions for objective
and subjective, we can see that probability is an objective (frequency
analysis) or subjective (Bayes) precise uncertain model, belief is a subjective
imprecise uncertain model, fuzzy logic is an objective imprecise certain
model, whereas trust is a subjective precise and certain model. Thus, probability
is the mathematics of objective and subjective uncertainty while trust
as defined in this paper aims to be the mathematics of subjective certainty
and precision.

Trust can be negative -- meaning that you know you cannot trust. This
is a situation of "knowing with qualification that there is a definite
lack of trust", exemplified by the phrase from an actual work e-mail
message (names changed) by a contributor to this discussion: "As I stated
to James in our Team phone call on Wednesday, Acme has now taught
us to trust Acme to be untrustworthy, and we must hold that trust
until Acme breaks it, since there is no basis for any other kind
of trust." Of course, if we know we cannot trust then that qualified
lack of trust is trust.

Trust can be neutral, neither positive nor negative, as exemplified
by case C for Phill's modem in the Appendix [A.4.10]
-- corresponding to the case where one needs no trust. As explained
in NOTE 2, "needs zero trust" or "needs no trust" is not the same
as "has no trust". To say that "channel A has no trust for property
X" is the same as to say that "channel A does not transfer
trust for property X" -- so, if you need trust on property X you
cannot use channel A alone. However, when channel A "needs
zero trust for property X" it means that no other channel is needed
in order to transfer property X, but channel A.

It is interesting also to compare trust with risk -- which is
one
of the counterparts of trust. Indeed, if the risk is null then anyone can
be trusted. Or, if the risk is sure then no one can be trusted. Further,
more trust means less perceived risk that some piece of data, behavior,
etc. will turn out to be different than expected. The comparison between
risk and trust seems to have another contact point: this paper considers
that trust indeed has components which must be individually "perceived"
or earned -- in the same way that risk must be individually "perceived",
cf. Shrader-Frechette [S-F97]. This means that neither
can be just "assigned" -- because both are linked to what an observer can
estimate and rely upon to some justifiable extent. In her study on
risk evaluation, Schrader-Frechette explains:

"Assessors who subscribe to the "Expert-Judgment Strategy" assume
that one can always make a legitimate distinction between "actual risk"
calculated by experts and so-called "perceived risk" postulated by
laypersons. They assume that experts grasp real, not perceived,
risk, but that the public is able only to know perceived risk. This essay
argues that all risk is perceived, even though there are criteria for showing
why some risk perceptions are more objective or better than others. It
argues that, although risk is not wholly relative, it is unavoidably "perceived."
After showing what is wrong with the Expert-Judgment Strategy and the ethical
consequences following from its use, the essay argues for an alternative
approach to hazard evaluation and risk management. It describes a new,
negotiated (rather than merely expert-based) account of rational risk management."
thus, defending the use of subjectively centered perceived risk over expert-based
objective risk and further discussing eight different reasons for it. Using
this paper's terminology and Shrader-Frechette's study, risk can be explicitly
defined as "that which an observer has estimated at epoch T, about
an entity's failure possibility on matters of x", which allows risk
to be quantitatively used when calculating risk/cost factors as a function
of trust.

However, trust should not be confused with the absence of risk. The
fact that some parts (ie, aspects) of trust may use risk to formulate a
decision process does not mean that trust as a whole must be based on risk.
Further, if an aspect of trust uses risk as a tool in the decision process
to trust then that part may be described by probability but, not necessarily
-- as risk may not be ergodic itself.

Further comparisons can be useful, without a doubt. They are also
interesting to exercise the explicit meanings of trust which are being
developed as stances of the abstract definition. However, Section 4 will
provide general arguments that will allow a broader understanding of the
role of trust in communication systems -- making it possible to deal at
once with several comparisons. Section 3 deals with the need for
such comparisons, as a way of measuring if and how well the abstract definition
of trust can represent reality -- as a source for useful real-world models
of trust.

This paper considers trust to be essentially subjective, as one of its
main truth conditions. Which may present an apparent contradiction with
situations where trust may be perceived by some as objective (such as trust
on an objective fact -- e.g., life and death, money) or sometimes also
as intersubjective (such as trust on a professional ability -- which also
depends on the chosen professional). The main word here is "subjective"
-- which means that one needs to take a subjective or personal instance
in order to evaluate an object. For example, beauty is a subjective
concept ("beauty is in the eyes of the beholder"). A secondary word
is "intersubjective" -- meaning that this instance can yield different
results for objects of the same class. For example, a medical diagnosis
for a patient is intersubjective because the diagnosis itself is a particular
instance from the class of all diagnosis possible for that patient at that
time, each clearly dependent on the patient's relationship to the physician
and different from the other. It is interesting to note that an intersubjective
concept is overly-variable in reference to a subjective concept, because
it also depends on the particular instance of the class' object.

Thus, the paper considers trust to be subjective ("trust depends on
the observer") because trust is similar to beauty and dissimilar to a medical
diagnosis in that regard: trust and beauty are abstract objects that cannot
be differently instantiated. However, even though trust is subjective,
trust on a CA certificate is intersubjective because it cannot be harmonized
for all CAs or, even, for all similar certificates issued
by a particular CA. The conclusion is clear: trust is subjective but can
acquire an intersubjective dependence. Further, the subjectiveness
of trust may still allow a possible coherent intersubjective concordance
over a large population in regard to one entity -- which could lead to
an impression of its objectiveness.

Therefore, the proposed definition of trust can also easily explain
the oftentimes contradictory and seemingly confuse behavior of objective,
intersubjective and subjective perceptions of trust -- leading one time
to what seems to be "objective trust" (e.g., currency, life and death cycles,
the Earth's orbit, etc.) when there is a large collective of agents that
coherently trust one target, other times to "intersubjective
trust" (e.g., mother and son, certificates from a CA, etc.) when
there are some collectives of agents that develop mutual trust relationships,
and still other times to "subjective trust" when the subject independently
defines who or what the trustee is. Therefore, all these "trust modes"
can be simply explained by recognizing that they depend atomically on the
collective and individual actions of a large or small sample of agents
that, nonetheless, trust one another entirely subjectively. Which
easily explains historical difficulties such as faced by Galileo Galilei,
when he proposed to change the then "objective" trust that the Sun revolved
around the Earth. Clearly, it is much more difficult to change trust
when it is confused with fact -- which was the case.

As this paper shows, all trust is essentially subjective and all
trust is essentially knowledge that an observer has acquired and upon which
can rely to some extent -- which means that the observer not only evaluates
trust but also stores it either directly or indirectly, with all its multiple
interdependencies and relative reliabilities along a timespan. If
the occurrences that we see in time are called "perceived facts" --
whether objective, subjective or intersubjective -- then trust is not the
facts themselves but knowledge about the perceived facts -- which depends
on each observer. Essentially, in our interactions, we compare trust
-- not perceived facts and not facts. The same happens with our cyber agents,
software programs and also hardware -- which can then be recognized as
equally able to deal with and use "their" trust as we can with ours, even
and most importantly when in interaction with us. As we can understand from
the given real-world models above, this allows a common ground for
process-trust and social-trust, linking cyber and 3D worlds.

3. The Trust Definitions: Abstract
and Explicit

"The eye of understanding is like the eye of the sense;
for as you may see great objects through small crannies or levels, so you
may see great axioms of nature through small and contemptible instances.",
[Ba27].

To summarize the results so far, all possible "real-world models of trust"
for the Internet, law, e-commerce, linguistics, etc. are postulated and
defined by one abstract and formal definition, which is the seed-concept
for all the other definitions:
trust: "trust is that which is essential to a communication
channel but cannot be transferred from a source to a destination using
that channel",
In a general communication context, trust can then be defined
from the formal definition of trust given above by any of a series of combinations
of different instances and observers, leading to any number of equivalent
explicit definitions such as: (where the term "entity's behavior" is to
be understood as unsupervised by the observer, except possibly at epoch
T):

trust: "trust about an entity's behavior on matters
of x is that which an observer has estimated at epoch T with a variance
as small as desired",

or, conversely, by the equivalent explicit definition:
trust: "trust is that which an observer has estimated with
high-reliance at epoch T, about an entity's behavior on matters of x",
or, by other also equivalent explicit definitions -- which may convey other
modes of thought when the abstract definition is placed in different contexts:

trust: "trust is an open-loop control process of an entity's
response on matters of x",

trust: "trust is to rely upon actions at a distance",

trust: "trust is to rely upon reactions at a distance",

trust: "trust is to rely upon actions or reactions at a different
point in space or time",

trust: "trust is qualified reliance on information, based
on factors independent of that information",

trust: "trust is reliance on received information, coherently
with some extent",

trust: "trust is that which an observer can rely upon to some
known extent regarding a subject matter",

trust: "trust is what an observer knows about an entity
and can rely upon to a qualified extent",.

The definition of trust can also be instantiated for each particular worldview
such as objective, intersubjective and subjective -- from the abstract
formal definition:

objective trust: "trust is a coherent collective agreement"
-- which means that there is a collective equivalence on what is believed
to be true and valid, oftentimes confusing trust with "authorization" or
"license",

intersubjective trust: "trust is a bilateral agreement,
not necessarily balanced" -- which means that it can include skewed relationships,

subjective trust: "trust is what you know you know you know"
-- you know, can recall at will and know how to use.
Using the definition of belief [DS97], [Ger97],
as "belief is the probability that the evidence supports the claim",
one can also write:
trust: "trust is received information which has a degree of
belief that is acceptable to an observer",

trust: "trust is knowledge acceptable by an observer",

and, when using the concept of "one's perception" as a filter and a gauge
for reality, so that "one's perception" is actually a qualifier, it is
also possible to write:
trust: "trust is knowledge about one's perception of a fact",

trust: "trust is that which provides meaning to information",

and, using other stances including the absence of trust (as discussed elsewhere):
trust: "trust is a link between a local set of truth-values
and a remote set of truth-conditions",

trust: "trust is a link between reference and referent",

trust: "trust is a link between referent and sense",

trust: "trust is a link between reference and sense",

trust: "trust is measurable by the coherence of understanding"

trust: "trust is that which absence can make any state possible",

trust: "trust is that which absence can make any state transition
possible",

trust: "trust is that which absence can make a process non-ergodic",

trust: "trust is that which absence cannot justify reliance",

etc.,

Further, if we consider the rather naive but objective "definitions"
of time and space as "time is what can be measured by a clock" and "space
is what can be measured by a scale" then

trust: "trust is time measured without a clock and/or space
measured without a scale"

which anyone can try by timing five seconds without a clock and five feet
without a scale, for example -- where the time and space measurement depend
on subjective trust as "what you know you know you know" or, "you know,
can recall at will and know how to use". Perhaps, harder to do if I had
asked to measure one meter without a scale -- for the US readers. So, this
definition also means that:

trust: "trust is a link between conceptual and perceptual realities"
.

And, perhaps as difficult to objectively define as time and space -- since
we must always incur in some degree of circularity in their definitions
in terms of other terms. Which point out to the usefulness and generality
of the abstract definition of trust, that only depends on formal relationships
between intuitively definable objects (essential, communication channel,
source, destination, transfer).

The following definitions are also useful, in terms of the concept of
a "trust-point" for "matters of x" [A_3], where
a trust-point is the "elementary unit" of trust in a given metric:

trust-point: "matters of x, for a given entity and situation
(i.e., time, events, etc.)"

so that trust can be defined in terms of trust-points, as a molecule
can be defined in terms of a linked collective of atoms:

trust: (noun) "a linked collective of trust-points"

and we can now distinguish well between the noun and the verb functions
in reference to trust

to trust: (verb) "to rely on trust"

and introduce the concept of a "trust-proposition" in boolean logic:

A trusts B on matters of x at epoch T: a boolean trust-proposition,
which is either true or false.

Why trust propositions are binary? An anthropomorphic
example may help to explain. You are the collection of your thoughts, some
of which are assumptions to you and you are not quite sure of. Other thoughts
are self-trusted by you and you know you know that you can actively rely
upon them. For example, your name has self-trust to you. Do you have reasons
to believe it is true? Is your name your name? Certainly, is perhaps the
answer I would hear from you or from anyone else. But, what is the dividing
line between assumption" and "trust" in your mind? Depends on you, on each
human being, and mainly reflects your "best justification"
metric For example, Descartes, the French mathematician and philosopher,
used a very strict justification when he said that the only thing he was
certain of was that he existed and that he was certain of it because he
could think ("Cogito, ergo sum" -- "I think, thus I exist). From that starting
point, he constructed his reality -- what he trusted. So, to Descartes,
not even his name was trusted by him at first, in his analysis. He answered
"false" to the same decision problem you and everyone else would probably
answer "true". Thus, why trust propositions are binary? Because you have
to decide. Either you act, or you don't. You may rely to any degree as
given by the extent of matters of x -- but you must know 100% if you rely
or not.

The above definitions can be shown (A.1 and A.2)
to link well with the real-world use of the word "trust" as given in linguistics
and social sciences. In the author's opinion, linguistics holds a
hidden treasury for software and for behavior modeling regarding trust,
risk, etc. -- specially when one views it as an anthropomorphic metaphor
for software/hardware and targets also the mind/brain dichotomy as it applies
to software-hardware and what software really "is", besides the bytecode-runtime
(brain). According to this view, one should recognize that many complex
relationships have been already "modeled" and "coded" in each particular
linguistics, including different historical perspectives and commerce practices.
This leads to a new approach to semiotics to be pursued elsewhere
in its generality, which unfolds naturally from the central concept of
coherence -- coherence as a natural or logical connection.
One of its applications is a redefinition of "identification"
and "identity" in terms of coherence [Ger98b];
with various levels of identification given as I-1, I-2, etc. , and
including trust at level I-2 -- as that which is measured by
the coherence of understanding[Ger98c].

It must be pointed out that while many more explicit definitions of
trust are possible, also as a function of pragmatics (in semiotics),
the abstract definition is perhaps the most general and invariant formulation
-- the seed-concept for all the other definitions of trust.
As shown also in the Appendix, not only useful explicit definitions for
process-trust but also for social-trust can be derived from
it. Thus, whenever we refer to the "trust definition" we mean
the abstract formulation in first place and the explicit forms as secondary.
It is also important to note that other abstract definitions can be derived
from the given one, not just explicit definitions, but that is usually
not so useful because abstract definitions cannot be directly applied to
a case without first defining the stance and the observer (i.e., by defining
an appropriate a explicit definition).

However, what is the use of so many different derived definitions?
Here lies one of the most powerful aspects of the present treatment --
since all such definitions are equivalent, they can be potentially mixed
with one another in adequate logical propositions that may allow for different
trust stances and observers to be combined, as necessary. This means
that, for example, one may perfectly well consider in one statement a trust
proposition that depends both on trust on a system (which is process-trust
and acquires an objective quality) and, trust on the intentions of a person
using such system (which is social-trust and has an intersubjective quality).
The different statements (i.e., social versus process trust) would simply
use different trust-points to represent the different operators for matters
of x.

Another question that the reader may have at this point concerns a perhaps
expected polemic around the above definitions, specially the abstract definition
-- "is the abstract definition of trust the right one?". Clearly,
this is a right question. Paraphrasing Tarski [Tar44],
I hope that nothing that I have written here, will be interpreted
as a claim that the abstract definition of trust is the "right" or the
only possible one. However, what is "the right one"? Here, perhaps
the only metric we may accept is that given by Leshniewski and quoted as
this paper's motto: "A theory, ultimately, must be judged for
its accord with reality". This is the reason why we have extensively
looked into the question of what trust is and what it is not, when
comparing the predictions made by the abstract definition with the technical
and linguistic usage (see A.2) of the word "trust" in
our reality -- for several stances and observer relationships. We have
indeed verified that the given abstract definition produced results which
were semantically equivalent to a series of meanings of the word trust
which were investigated, with no exception. Since we covered the majority
of meanings that are needed in communication systems, based on several
common stances and observer relationships, the paper justifies the abstract
definition by its accord with reality -- at least, for the tested part
of reality. The reader is invited to test other parts of reality
and to communicate the results of such tests to the author, either for
positive
or for negative findings. Particularly interesting could be the application
of the abstract trust definition to other areas besides technical communication
processes , such as to test its usage also when modeling trust for legal
and social communication processes -- e.g., power relationships, managerial
activities, auditing, interpersonal relationships, art evaluation, etc.

It is useful also to consider the question whether the author should
have used a different word, for example "drust", instead of "trust" for
the abstract definition. However, the objective -- from the onset
-- is to define "trust" so that the abstract definition must be able to
produce explicit definitions which should be equivalent to the real-world
(i.e., social, legal, etc.) uses of the word "trust", at least for the
majority of useful cases. Thus, the question is not what is the concept
herein defined, but whether it is equivalent to what one would expect from
linguistics, social sciences, etc. Which, indeed, is the case at hand --
as already commented above.

The provided trust definition leads to several consequences, to be pursued
elsewhere, but the ones we need to cite here are:

"trust depends on the observer" -- or, "there is no absolute trust". What
you may know can differ from what I may know.

"trust only exists as self-trust". This means that only self-trust has
zero information content, so trust on others always have information content
(surprises or, unexpected behavior, either good or bad).

"two different observers cannot equally trust any received information".
Direct consequence of (1) and (2).

"a self-declaration cannot convey trust to another entity when using one
and the same communication channel". Direct consequence of the abstract
definition.

Self-trust is what the self knows it knows.
It includes everything that it knows about itself and that it knows about
anything external to it (all B such that self knows B), but it does not
include what the self does not know it knows. Self-trust (Merriam
Webster) is equivalent to self-confidence, which means "confidence in oneself
and oneself's powers and abilities" and dates back to 1637. In psychology,
self-trust is linked to "recall memory" -- which is the memory you can
access at any time without any prompting or clues. This is distinct
to "recognition memory" -- which depends on clues or external stimuli
to be accessed. Recognition memory is unsafe, as students often find
out -- when they trust they know the subject but they are unable to recall
it without proper stimulus when facing a blank sheet of paper...Clearly,
you may have excellent powers and abilities that you spontaneously ignore
-- but which may be nonetheless explored against you either by a semantic
"denial-of-service" attack, by a semantic "man-in-the-middle" attack, etc.
Not all attacks are syntactical, as we can recognize when we explore
our understanding how trust works.

The concept of self-trust depends also on communication
channels, but from past to present. Thus, the entity can transmit information
to itself at a later time, which is called memory. Self-trust depends on
the contents of such memories, when the entity can rely upon them to some
extent.

The same considerations above can also be used to understand
actions that may increase or decrease network security, where "self" is
the particular autonomous unit being considered (e.g., a program unit,
a smart-card, a piece of hardware, etc.). In the particular case
of Internet security, self-trust is concerned with spontaneous capabilities
and performance, including the pragmatics (ie, the area of semiotics that
describes the environment and passive/active attackers/observers) but without
any stimulus to self from the pragmatics.

If we accept the given trust definition then the above four consequences
are as mathematically unavoidable as Shannon's Theorems and leave us in
a severe predicament. If it is not self-trust then trust must be qualified
by defining the extent "x" of the observer's reliance on the entity --
as given by an estimator with quasi-zero variance on matters of x -- which
means that trust must be acquired somehow. However, how and to what measure
can I acquire trust? How can I communicate it? Since not all parts
of a public and distributed network can be supervised by myself and some
parts do not even belong to myself, while any part can be unwittingly shared
with malicious attackers, how can unsupervised reliance be defined and
evaluated? How can I rely upon an entity's declarations and acts when the
entity is using an Internet link? How can two unknown parties reciprocally
transfer a meaningful and reliable set of objects, such as their respective
cryptographic public-keys?

4. The Mathematical Properties of Trust

"When you can measure what you are speaking about, and
express it in numbers, you know something about it; but when you cannot
measure it, when you cannot express it in numbers, your knowledge is of
a meager and unsatisfactory kind", by Lord Kelvin.
To answer the above questions, we must now look at the mathematical properties
of trust. This is also similar to Shannon's approach -- when the logarithmic
function was found very useful to represent information content and allowed
new insights. As in [5], trust has the following
main mathematical properties:

not transitive

not distributive (in psychological, sociological and legal sense)

not associative (in mathematical sense; also in psychological, sociological
and legal sense)

not symmetric

where the reader can see the first two properties exemplified online in
[5].
The last property is straightforward: the fact that a lion trusts a lamb
does not mean that the lamb trusts the lion.

What is then the solution? How then and to what measure can I
acquire and communicate trust?

First, trust cannot be thought of as a type of authorization loop, where
trust flows from the source to the destination and back to the source,
similar to a battery and electric current. [6]

Further, contrary to information, trust cannot come in by a type of
add-on -- such as modulation on a carrier. Why? Because when you
modulate a carrier you are encoding information into that carrier and you
suppose that the carrier is pre-existent -- so the carrier has a very low
information content while the modulating signal has a very high information
content. Ideally, 0% and 100%. On the other hand, according to our definition,
trust must have zero information content (trust is what you know).

So, trust cannot be thought of as a modulating wave -- it is the carrier!
This is the paradigm shift that the development of intrinsic certification
[Ger97] was based upon in the first place. First acquisition,
then recognition.

Without the need to continue with a stepwise investigation as done in
Section 2, we can now generalize. The bottom line is that trust is akin
to a carrier of information -- which information can be anything we may
need: accountability, evidence, responsibility, validation, reliability,
generalization, uncertainty, consistency, truthfulness, legal reliance,
liabilities, warranties, ethics, monetary values, contract terms, deals,
person's name, person's DNA, fingerprints, bank account number, public-keys,
etc.

So, not only accountability but even truthfulness depends on trust.
Trust is a basic property of communication channels, similar to information.
I could say, in a very broad generalization, that "everything is information
and rides on trust"... which trust allows you to act or not, when based
on that information. So, this is a second-order Information Theory -- in
which we are not any more interested only on how much "surprise" data is
being transferred over a channel -- as measured by the uncertainty of the
party as to what the message will be. Rather, I now focus on what
is essential to that message but which cannot be transferred using that
channel (as trust is defined here) -- which can be equally quantitative
as information, though both are subjective.

For further examples of using the abstract definition of trust, see
A.4.10,
A.4.11
and the mcg-talk list repository.

My following assumption then is to mathematically model any suitable
explicit definition of trust (i.e., this is not a play on words but we
have to model our real-world model of trust) as a multivector
operator on information, which is parameterized by (t,d,s,...) where
t=transitive, d=distributive, s=symmetric, ... + other properties such
as time (see [6]). Of course, the mathematical
model may change if we change the explicit definition used to form the
representation -- but all models are upward compatible with the single
abstract definition of trust.

Any suitable trust model can now allows us to answer the basic trust
questions, as a function of cost and risk [7].

When (t=0, d=0, s=0, T=0, ...) we have "hard-trust" -- i.e., zero information
content (no surprises) and no risk. But, also, as isolated as an island
-- trust cannot be acquired or communicated.

When we allow the parameters (t,d,s,T, ...) to take non-zero values,
then we have "soft-trust" -- i.e., non-zero information content (bad and
good surprises) and ... risk. Here, trust can be acquired and communicated
but always tainted with information. In other words, "hard-trust" is only
applicable to self-trust -- because self-trust is untainted by information
(by definition, since it is known to the observer). However, trust must
be properly gauged [8] also as a function of risk/cost
if it is to be properly used in the soft-trust regime.

As a final remark on the mathematical properties of trust, a cursory
reading of this paper may give the impression that trust just depends on
appropriate out-of-band information. For example, one may think
that trust is warranted if "I, entity A, have independently verified
that the certificate is in fact from CA B, by virtue of having exercised
the appropriate out-of-band security procedure to confirm its authenticity".
This is far from truth, because of two main reasons already mentioned above:
(i) the non-boolean properties of trust and, (ii) the multivector aspects
of trust as a mathematical operator. For some examples, see [5].
This highlights the importance of the study of the mathematical properties
of trust, briefly sketched here and in the Appendix. Further references
are contained in the mcg-talk list (under the author's number-ID
416720) and in the sci.crypt newsgroup as well as in the lists e-carm,
cert-talk , dig-sig, ssl-users, ssl-talk, spki and others (under
the author's name).

5. Conclusions

"It is futile to do with more what can be done with fewer",
known as the "Occam's razor" principle because it was formulated
and extensively used by William Ockham, 1280-1349, in order to simplify
propositions.

From the discussion, trust is seen to emerge as the mathematics of subjective
certainty and precision. Trust was defined with only one abstract definition
-- "trust is that which is essential to a communication channel but
which cannot be transferred from a source to a destination using that channel"
-- cast in the general framework of Information Theory but without predicating
any uncertainty model. Information itself was also likewise defined. The
abstract definition of trust was shown to lead to any number of explicit
representations of trust (of which more than thirty were cited) that can
take into account the appropriate instance and observer roles in a measurement
process. Thus, trust can be differently represented as needed for each
instance and observer, but always with upward compatibility to one common
topmost parent concept. Which may be thought of as an interoperation mechanism
that is built-in by inheritance, between different representations.

When trust is represented as qualified reliance on received information,
it allows the definition of mathematical operators which can represent
the concept of soft-trust, when the truster permits (as in the real-world)
some degree of transitivity, distributivity and so on, which turns
out to be essential to Internet communication processes -- but which
open a series of security risks, as discussed in a broad context.

In practice, the theory is always more complicated.

Currently, the work proceeds on the development of a proper trust
algebra (using Grassmann's Algebra) that can represent and allow soft-trust
and its risks to be calculated with a type of proposition calculus. Trust
algebra is non-boolean but begins with boolean propositions of the type
"A trusts B on matters of x at epoch T" and unfolds into fully intersubjective
calculations on n-dimensions, which can be visualized by using the concept
of multivector intersection in Grassmann Algebra. Trust has thus subjective,
intersubjective and objective components -- as a multivector of arbitrary
dimension. Trust can be shown to be a cardinal property of certification
systems, as discussed in "Why is certification harder
than it looks?".

The arguments presented in the paper show already several common mistakes
that we must be aware of and avoid, when dealing with the concept of trust
in Internet certification, which are discussed in the Appendix -- specially
A.1.
Taking such model of trust further, as it will be presented in future papers
and in the Meta-Certificate Standard, leads to what is called "archetypical
trust model" as presented in the MCG-FAQ. In the model, even though the
trust operator is clearly non-Boolean (see the mathematical properties
above), it can be used to construct Boolean trust propositions (A.3)
that can represent not only binary but also tertiary, quaternary and generic
m-ary trust relationships. The concept of "critical radius of trust" is
also derived from space and time considerations of differently interacting
agents, where the critical radius is defined as the reach of soft-trust
where risk and cost are equal.

As recognized in linguistics and semantics, words should be used within
their generally accepted meanings as much as possible (in fact, some claim
that this is the main difference between science and poetry...).
The paper showed that the full content of the accepted social meanings
of the word trust, albeit of difficult conceptualization [McK96]
in its real-world and social uses, could nonetheless be well-modeled by
an abstract definition of trust within the framework of Information Theory
and communication processes -- thus rendering possible its scientific and
technical use a par with the social meanings. Semantically, the
abstract definition of trust contains the seed-thought of the full concept
of trust, which unfolds as explicit truth-conditions when applied to each
practical stance , which, in turn, may provide different truth-values
to each observer. The abstract and the explicit definitions
of trust can thus provide a common ground when dealing with trust,
in any context. Trust is also shown to be a new type of measurement:
how to rely upon actions at a distance. Thus, trust affords an answer
to the problem of measuring events that are important, significant but
which are essentially unreachable -- as strongly exemplified in the Internet,
but which may have applications in other areas of communication systems
and science.

Further, since trust can be shown (see A.4.3)
to be essential to allow meaning to be conveyed in communication, and not
just references, this paper advances the thesis that trust is a basic property
of Nature, such as time and information. Without trust, communication
in Nature would have no meaning -- which is clearly not the case, and which
negation supports the thesis. Further weight to the thesis comes from the
very historical difficulty to define trust so far, as mentioned in the
paper, which points out the basic nature of trust, as with any concept
that cannot be well-defined because it is primary -- e.g. time.This shows
the futility of any approach that may try to qualify trust by maiming it
-- i.e., by denying some of trust's truth conditions. Of course,
by artificially changing the contextual meanings of trust one cannot hope
to change the need to understand it or the need to use the true richness
of the concept it denotes.

The ancient Greeks, for example, defended for a long
time the concept that all physical lengths were exactly measurable --
which would lead to the expectation that all numbers that represent reality
must be rational. And yet, if we take a right triangle with sides equal
to one, the hypotenuse is not exactly measurable -- it is equal to the
square-root of two, which can be easily proved to be irrational. Further,
such a triangle can be easily built and exists. Or, if we take pi, which
is not only irrational but also transcendental, then we can construct any
number of circles with perimeters that are not exactly measurable. Even
if the Greeks would have artificially changed the meaning of the word rational
to mean real, still such lengths could not be exactly expressed by measurements
-- no matter how precise. The same applies to trust -- because it is
a basic natural concept that exists independently of the name we may assign
to it and, thus, cannot be better understood if its properties are partially
reduced.
For example, using the name trust to denote authorization, belief
or a lesser concept will not make trust's truth-values more useful or easier
to use in security designs. On the contrary, the truth-values of trust
will be even more difficult to grasp and use if trust's truth conditions
are ignored in a design, policy, theory or measurement.

Forthcoming papers will show that trust and information are necessary
and sufficient properties of a generic communication system that can use
pragmatics (environment) to transfer not only syntactic (reference)
but also semantics (sense) from a source to a destination; some results
are already available in the Appendix (see A.4.3)
and in the mcg-talk or trust-ref exchange.

Acknowledgments

The author acknowledges helpful hints and discussions with participants
of the Meta-Certificate Group discussions and the mcg-talk and trust-ref
lists, especially Einar Stefferud, Tony Bartoletti, Peter, tks, Pedro
Rezende, Ricardo Dahab, Nicholas Bohm, Mike Rosing, Waldyr Rodrigues, Pedro
John Meinrath, Frank O'Dwyer and also participants of several discussion
lists such as e-carm, ssl-talk, ssl-users, dig-sig, dig-cert, itanet, cert-talk,
SPKI list, IETF S/MIME , Usenet newsgroups such as talk.politics.crypto,
comp.security.misc, comp.security.pgp.discuss, sci.crypt, the Internet
community in general. However, this list does not mean their endorsement
or responsibility in this work, which is the sole responsibility of the
author, reflecting his viewpoints -- not the viewpoints of any corporation,
company, agency or Governments.

Appendix

(This section contains material from recent messages)

1. Model of Trust versus Trust Models

"A theory, ultimately, must be judged for its accord
with reality."S.
Leshniewski, (1886 - 1939)

The title is "Toward a Real-World Model of Trust" -- which has two
sides:

1. The model of trust or what should we understand by the word "trust"
in communication processes,
2. The trust models we can use, which will allow us to represent our
understanding of the word "trust" as defined.
These are two entirely different viewpoints. Let us initially investigate
possible models of trust that could be used, and compare them with the
model of trust defined in this work by the explicit and abstract definitions
already presented.

First, some think that one cannot compare the "digital" and "emotional"
concepts of trust -- the "digital" concept being the technical use of the
word trust as in communication processes, root-keys, digital signatures,
certificates, etc. and the "emotional" concept being the social understanding
of the word trust in commercial, legal and personal dealings.

Clearly, and to fix notation, the term digital trust is inappropriate
when applied to a communication process -- which can also be analogue.
Similarly, technical trust is also misleading, e.g. a technical argument
in law is quite different from a technical argument in engineering. The
best word here might be "process trust", which allows not only the protocol
but also the software, hardware, etc. to be included in the trust concept
-- e.g. a modem can also be trusted in the communication technical sense.
Similarly, "social trust" might also be better word to represent
the emotional, real-world, 3D or personal aspects of trust. So, I will
use preferentially both terms below: process trust and social
trust.

The concept of process trust has several definitions, as I have located
them and there are possibly more.

1. NSA: "a trusted system or component is one with the power to break
one's security policy" [10].

Comment: While some may consider that this definition
chimes in well with the relationship between a Trusted Third-Party and
a TTP-subscriber, it does have the merit that it considers trust
to be subjective. However, it includes any number of subjective,
intersubjective and objective dependencies into the concept of trust, which
may not be trust -- such as auditing. It also confuses the whole security
policy of the truster with that part which the trusted system can influence.
2. X.509: "Generally, an entity can be said to "trust" a second entity
when it (the first entity) makes the assumption that the second entity
will behave exactly as the first entity expects. This trust may apply only
for some specific function. The key role of trust in the authentication
framework is to describe the relationship between an authenticating entity
and a certification authority; an authenticating entity shall be certain
that it can trust the certification authority to create only valid and
reliable certificates." [11]

Comment: This definition is the equivalent boolean negation
of NSA's reported definition -- thus X.509 is basically subjective in its
trust assumption, which is however later on denied by X.509 itself -- such
as when predicating objective certificate chains or by allowing CAs to
define CPSs unilaterally. Further, it includes the concept of
"exact behavior" which is not possible to warrant, in the same way that
perfect security does not exist. Other inconsistencies in handling
trust are also apparent in X.509 [9], e.g. when
it uses "soft-trust" to impose a CA chain without discussing its validity/gauge
(i.e., either you need to accept to trust a CA you don't trust because
that CA was trusted by a CA you once trusted -- or you have
no option to proceed).

3. ABA Digital Signature Guidelines (ABADSG) I: trust is not defined per
se, but indirectly, by defining "trustworthy systems" (or, systems that
deserve trust) as "Computer hardware, software, and procedures that: (1)
are reasonably secure from intrusion and misuse; (2) provide a reasonably
reliable level of availability, reliability and correct operation; (3)
are reasonably suited to performing their intended functions; and (4) adhere
to generally accepted security principles. " [12]Comment: This definition is unfortunate in that it confuses
trust with fault-tolerance and other unrelated matters, especially so because
(for example) fault-tolerance is objective and can be quantitatively measured
by friends and foes alike -- whereas trust is the opposite.
4. ABADSG II: the ABADSG uses the word trust also in the legal sense of
something held in trust -- i.e., a property interest held by one person
for the benefit of another -- which has nothing to do with the issues here,
but may confuse the reader in a phrase such as "private key trust service"
which is later on defined to be a legal trust concept in the ABADSG document.
Comment: Perhaps, a better wording for such use of the
word trust in the ABADSG would result from rephrasing everything in order
to highlight the expression "in trust" for this legal concept, such as
using "private key service in trust" instead of "private key trust service".
[12]
5. PGP: even though PGP uses the word trust extensively, such as in web-of-trust,
the concept of trust is not explicitly defined by PGP and one has
the impression that PGP uses the social concept of trust.
Comment: In fact, this would be appropriate because
PGP was intended to be an e-mail security software for a close group of
friends and the friends themselves would provide for the trust management
issues -- in their own socially acceptable way. However, the trust
concepts developed in the paper point out some basic inconsistencies in
PGP [9], e.g. when PGP enforces a model of "hard-trust"
with "trust is intransitive" to setup entries in the web-of-trust but uses
"soft-trust" to upkeep entries, without discussing its validity/gauge nor
allowing for time factors such as lack of synchronism.
6. Real-world or Social: The concept of social trust can be obtained from
dictionaries, such as Merriam Webster: " 1 a : assured reliance on the
character, ability, strength, or truth of someone or something b : one
in which confidence is placed. 2 a : dependence on something future or
contingent : HOPE b : reliance on future payment for property (as merchandise)
delivered : CREDIT 3 a : a property interest held by one person for the
benefit of another b : a combination of firms or corporations formed by
a legal agreement; especially : one that reduces or threatens to reduce
competition 4 archaic: TRUSTWORTHINESS 5 a (1) : a charge or duty imposed
in faith or confidence or as a condition of some relationship (2): something
committed or entrusted to one to be used or cared for in the interest of
another b : responsible charge or office c : CARE, CUSTODY <the
child committed to her trust>"

Having presented the various definitions found for "process trust" and
"social trust", we can easily observe that they are not even concordant
between themselves -- much less with one another.

However, it is perhaps clear that they should all be equivalent, even
though different in their own domains. In other words, it should be possible
to find definitions of trust in each domain that would carry over to one
another as a matter of proper focus.

Thus, in this view, both "types" of trust are not apples and speedboats.
Communication protocols can and should indeed be based on social trust
concepts -- i.e., real-world concepts -- and not on some ad hoc and academically
unrealistic models. For example, a security design that considers
trust just a synonym for authorization. Further, the author considers it
already a bad sign if one is using a model of trust that divorces the digital
world or communication concept of "process trust" from the emotional, personal
or 3D world concept of "social trust". Instead of a "feature" of such a
model, it is a bug.

In fact, the social and communication aspects of trust must be well
integrated if a socially useful communication protocol is to be defined.
This will also be very important for the next intermingling of cyberspace
with our 3D-world, as discussed in A.4.7. As commented
before, one must recognize A_4_10that unless one arrives at a real-word
or social model of trust to be used in the electronic world, no logically
useful communication trust model can be set forth.

This idea is not entirely new. Besides Shannon, who used it successfully
50 years ago when modeling information, Phill Hallam-Baker declared
the following in Nov/94:

"We have two options either we can attempt to define wonderful
academic forms of trust model de novo. Or we can observe the real world
and attempt to model the trust mechanisms that allow it to function. Since
we do not see a hierarchical trust model it is not the solution. We do
not see anarchy either, or at least in places where it has taken hold it
is disaster. What we see is binary interpersonal relationships heavily
qualified in many ways. The approach that has always seemed most promising
to me is to replicate those relationships allowing them full color with
respect to the areas for which trust is granted (financial, notary, reliability
etc), the extent of such trust and the confidence with which that trust
is allowed." (SIC) [13]
Indeed, the reader can verify that the new abstract and explicit definitions
of trust in Information Theory terms can represent both the social and
the communication process aspects of trust in a single model -- that
essentially represents an abstract model for trust's core properties in
the real-world.

This can allow us to cross over different trust domains, so that a unique
model of trust can represent "social trust" (i.e., 3D world, emotional,
personal) when applied to a communication process (i.e., digital world)
as well as represent "process trust" (i.e., digital or technical
trust) when applied to a social situation.

In law, the designation "reasonable man" is a legal standard and applies
to the understanding that a judge must develop for a
jury in its decisions-- i.e., a "trust model", as the concept is defined
in this work. For example, if a judge trusts that a "reasonable man" would
have no doubt on the issues of fact involved, he may send the case for
summary judgment.

A "reasonable man" is also a metric for the "reasonable reliance" trust
model that a judge or jury can apply by themselves to a case.

I note that "reasonable reliance" is a legal objective trust model which
is being increasingly abandoned in favor of "justified
reliance" -- a legal subjective trust model. This can be explained
by the technical arguments outlined in this paper, to the extent that a
person always bases its acts on subjective trust -- besides the legal arguments.

Of course, technical arguments have a broad worldwide application whereas
legal arguments depend on country, state and even time. However,
legal arguments are interesting also -- as arguments cannot be played in
isolation. I quote some of the legal arguments and case law history
from a decision by the SUPREME COURT OF THE UNITED STATES, where Mr. Justice
Souter delivered the opinion of the Court in case No. 94-967 of WILLIAM
FIELD and NORINNE FIELD, PETITIONERS v. PHILIP W. MANS, on November 28,
1995 [SCUS]:

Here a contrast between a justifiable and reasonable reliance is clear:
"Although the plaintiff's reliance on the misrepresentation must be justifiable
. . . this does not mean that his conduct must conform to the standard
of the reasonable man. Justification is a matter of the qualities and characteristics
of the particular plaintiff, and the circumstances of the particular case,
rather than of the application of a community standard of conduct to all
cases."
Id., §545A, Comment b.

2. Linguistics

"One that will not plead that cause wherein
his tongue must be confuted by his conscience", in The Good Advocate,
Thomas Fuller (1608-1661).

It is important to recognize the linguistic value of the proposed trust
definition for communication systems, or, "is it really what we would use
the word trust for, in some circumstances, or should we use something else
as a name for the definition?"

Clearly, we would not (as cited above) use the words: assumption, knowledge,
belief or information.

As to the word trust itself, it was chosen exactly on semantic grounds
for the English language. Linguistically, "Trust" is akin to "true" and
"faithful", with a usual first dictionary meaning of "1 a : assured
reliance on the character, ability, strength, or truth of someone or something;
b : one in which confidence is placed."

So, in common English usage trust is what you place your confidence
in or, expect to be truthful -- that which you can rely upon. Of
course, this is a subjective metric since what a reasonable man may
need to consider in order to rely upon something is quite different than
what a naive truster may require. Perhaps, a naive truster will only require
an indication as a reason for reliance, and perhaps also a reasonable man
might do the same if what is at stake has a low value.

Thus, the explicit and abstract definitions of "trust" given here --
albeit technically directed to the terminology of Information Theory --
have a strong resemblance to everyday use, also when trust simply means
reliance on an indication.

It is also important to realize the subjectiveness of the definition.
Who defines what is "essential" in the formal abstract definition, or "high-reliance"
in the explicit definitions? Who defines what is true?The truster.
The truster defines the metric used to justify what it can rely upon and
what it considers to be true. Which can be subjective, intersubjective,
objective or a mixture of such types -- as we can see in the real-world.

3. Trust Propositions, Matters of x
and Metric-Functions

"No human inquiry can be a science unless it pursues
its path through mathematical exposition and demonstration." Leonardo da
Vinci.

The explicit definition of trust leads to concept of "trust proposition"
as a Boolean representation of a trust act. A trust act is seen as an encounter
(e.g., a "collision") between A (the truster) and B (the trustee) at time
T, during which encounter A gathers information on B, possibly unbeknownst
to B.
Comment: Clearly, the least B knows about A's measuring
actions, the better for A's reliance on the estimator as a valid representation
for B's acts which are unsupervised by A. This is similar to Heisenberg's
Uncertainty principle and will be pursued elsewhere. Further, while trust
is not auditing, B can clearly be supervised by other entities instead
of A. This can lead to complex tertiary, quaternary and general m-ary trust
relationships -- which can either increase or decrease security, as a function
of the different estimators for each entity and their logical relationships.
A binary trust proposition is of the form "A trusts B on matters of x at
time T", which evaluates either to true or false. Binary trust propositions
can be combined into m-ary expressions using the framework of Grassmann's
Algebra, as pursued elsewhere.

However, the question is: what is "x"?

First, "x" is a scalar, a trust-point. They represent behaviors
which are either known or can be predicted with quasi-zero variance.
This is not to be interpreted as saying that there is no room for
"maybes" or even unpredictability regarding the outcome of x, of course.
The point here is that while the expression "B trusts C on matters of x"
means "B knows that C is predictable with quasi-zero variance on
matters of x" -- and therefore B expects no surprises on such
"matters of x" -- here is a short list of what "matters of x" can be:

"C will throw a pair of dice and tell their results exactly",

"C will consult the weather chart and report what it says for today unless
it predicts rain in which case it will quote any past forecasts it desires
from the same month last year including rain",

"C will consult the Observatory and tell the time with a 5 second spread
over a 10 second delay, with an unknown probability distribution",

"C will tell his SSN when requested, with a 50% error margin on any digit",

"C will generate a random number and tell it exactly",

"C will generate a signal which can be non-ergodic and which has unknown
duration, at any time".

Trust-points can also be absolute or objective, such as "pi is 3.141592...",
"SHA-1 is defined in file F...", etc.

In each of these examples, I observe that we have actually defined an
equivalence class for matters that represent the "same" behavior "x" --
the same trust-point in its interactions.

But, what is "same"? Indeed, if we want to model trust, risk,
certification, privacy or even the security of cryptographic protocols,
one of the first questions we must ask is:

What does it mean for two quantities to be "close" to each other
or to be "far" apart?

In other words, we need a notion of distance between two quantities
-- for example between "trusted data" and "input data". How "close" is
the input data to data that can be trusted? When are they the "same"? This
is, of course, a basic question which we would like to answer as quantitatively
as possible .

Further, we need such notion of "distance" to satisfy some requirements:

(i) the distance must be the same if I just exchange the two quantities,
so that distance "looking into" one must be the same as
"looking into" the other.

(ii) the distance must be invariant under some class of transformations,
so that I can change reference frames under that
class of transformations and still meaningfully refer to that same
"distance".

(iii) the distance must correspond to a meaningful reference that I
can express, order and compare -- e.g., a number (even in cardinal
form -- i.e. as a measure over set equivalence).

(iv) if the distance is zero I would like the quantities to be considered
"equal".

(v) Conversely, if two quantities are "equal" I would like their "distance"
to be zero.

(vi) If I have three quantities which are distinguishable from each
other then I would like to define the notion that a direct path between
two quantities is shorter or equal than an indirect path that also includes
the third quantity -- like a triangle.

Now, I note that the notion of "equality" expressed above is not simply
that given by the "=" sign, but rather contains the idea of "equivalence"
-- for example, 2 and 4 are equivalently even numbers, though one cannot
say that "2=4". This is also often (and I will follow such usage)
expressed as indistinguishability -- 2 and 4 are even numbers and are indistinguishable
from one another in regard to being an even number, i.e, they cannot be
distinguished from one another in that aspect.

In looking thus to a general framework to express how "close" or how
"far" quantities are -- in other words, how distinguishable they are --
we realize that we have just stumbled into metric functions!

Metric functions are used to define a concept of "distance" between point
x and y, such distance being d(x,y). In particular, property (3) says that
if the points are equal (eg, indistinguishable from each other) then their
distance is zero. Conversely, property (4) says that if the distance is
zero then the points are equal. The "triangle inequality" given by property
(2) is the familiar statement that the sum of the lengths of the two opposing
sides in a triangle is larger than the length of the base side, being equal
if the sides are collinear. Last, property (1) says that the same distance
is obtained, whether you are looking to x or to y.

How is that applied to "matters of x" and why is it useful?

Because "matters of x" defines what is trusted by the entity, one can
thing of "matters of x" as a function of two arguments: the first one is
x (trusted) and the second is any input y (to be tested). The output of
the function indicates whether y is trusted or not:

matters-of(x,y) = 0 if trusted, a "number" > 0 otherwise.

It is easy to show that matters-of(x,y) can be defined so as to satisfy
all 4 properties of a metric function.

Now, if matters-of(x,y) is zero, we can say that x is indistinguishable
from y -- ie, they are "equal" in regard to trust. So, matters of x allows
us to define how "close" or how "far" some input is from being trusted
-- and can even provide us *paths* to move in "closer to trust".

This is already very useful because we can represent all the various
degrees of "quasi-trust" that we also follow in our reasoning -- but now
in software.

However there is more, in two basic results from mathematics.

The first one is that metric functions are rather easy to find, and
we are free to define whatever suits us and the modeling we have. For
example, we can use the notion of probability of error, Shannon mutual
information, Kolmogorov complexity, Bhattacharyya coefficient, least
square error, etc.

The second one is that if we formulate these concepts into metric functions
that obey the 4 properties, then it is irrelevant which one we use. It
is largely a matter or convenience.

Of course, there is much more to be said about the (in)distinguishability
problem and the use of metric functions, specially in potential uses of
this theory of trust. But the above comments may already show the general
principles involved, their usefulness and relative easy-of-use -- besides
the extreme flexibility they provide.

The structure of x, while a scalar, is that of an operator that represents
a process (see the specific definition of process in [Ger97].
This operator can be shown to obey the properties of a quotient ring in
Mathematics, also called a skew-field. Which allows the trust-points "x"
to be used as "elementary units" to construct multivectors in Grassmann's
Algebra, allowing very complex m-ary trust relationships to be represented
and affording an intuitive geometric vision. See the mcg-talk postings
on such subject.

The concept of "proper trust" can then be mathematically defined
as satisfactorily as the concept of "proper keys", by allowing trust
and keys to be fully described by convenient metric functions in a coordinate-invariant
formulation of certificates within a seven-dimensional metric-space [14].
As a general result, certification in communication processes is shown
to be mathematically equivalent [15] to the geometric
problem of distance measurement in a metric-space -- as can be intuitively
motivated by observing how key-distribution [16] works.

For two parties in a dialogue, all possible certification procedures
are then classified in only two models: extrinsic and intrinsic, with a
combined mode [Ger97]. All known security designs
correspond to the extrinsic model -- which depends on references that are
extrinsic to the current dialogue, with certification relative to a third-party
or past events. The intrinsic model is a new security design -- which depends
on references that are intrinsic to the current dialogue, with certification
obtained by measurements that rely upon intrinsic proofs.

The above discussion on trust can be used to investigate several timely
questions. Questions 1 and 2 are common Internet discussion items, nowadays
answered in the affirmative. Questions 3, 4,5 and 6 were supplied by Nicholas
Bohm. Questions 7, 8 and 9 were supplied by a MCG participant.
Questions 10 and 11 were asked by Phill
Hallam-Baker in the SPKI list.

1. Do we need unique names on the Internet? Or,
unambiguous names?

No. And, surprisingly, the solution may solve another historical flaw in
public-carrier communications.

No one needs a unique name over the Internet, nor a unique e-mail address,
nor even a un-ambiguous name in order to be uniquely identified. Neither
globally nor locally. Everyone can use their own common names if they so
wish, or any pseudonym they desire. This note shows that this is not
an issue for identification or security -- while it is a recurring subject,
an Internet myth. An equivocated security dogma.

Before we begin, it is important to comment that the
method to be proposed allows name and address collisions to decrease, not
increase -- as it is in the best interest of every user to have less collisions
and they are free to implement any name change that they may desire in
order to do so. This is similar to a social effect recognized in Economics,
but where I take the stance of recognizing the possibility of a naturally
occurring and autonomous virtuous process that can avoid what is called
the "tragedy of the commons" -- arising when a public resource
is degraded by over-use from a group of "commons", which onset of degradation
can however regulate the over-use by calling attention to the fact.
The solution is semantic addressing. It depends on two well-established
developments, logical semantics and public-key crypto, plus the current
work by the author on qualified reliance (trust) in Information Theory.
Using the terminology of semiotics (see item A.4.3),
it is hereafter called TSK/P (i.e., Trust, Semantics, Keys, over Pragmatics).

Logical semantics, albeit not very well-known, was pioneered by Frege
(see item A.4.3) and recognizes that a common name
has two quite independent components: reference (i.e., the symbol itself,
the byte string) and sense (i.e., the symbol's meaning), where the name's
reference is its syntactic value and the name's sense is its semantic value.
In other words, a name is viewed as a logical proposition which has two
independent attributes, the name's sense representing the name's truth
conditions and the name's reference representing the name's truth values.
Thus, the semantic theory advanced by Frege shows that an unlimited number
of entities can share the same reference (i.e., the same syntactic expression,
such as "John Smith") and yet each one can be uniquely identified by their
sense (i.e., each referent can be uniquely reached if and only each referent
has a unique sense).

In other words, the apparently "intuitive" referential theory
of meaning is wrong (see item A.4.3) and meaning can
never be derived from references, no matter how many -- it is impossible
to derive meaning from name. So, any person can choose at will any symbol
to be represented by -- and, per se, none will be better or worse
for identifying the person than any other ... in fact, they will be all
equally meaningless.

To exemplify the point, suppose I would ask you:

If all the people named "John Smith" could choose whatever
symbol they would want (ASCII, own photo, dog's photo, etc.) to be
one of their "names" in a certificate, what do you think they would
choose:

(a) John Smith(b) something useful and unique as decided by them(c) John Smith plus something useful and unique as decided
by them(d) something utterly unrelated to anything that John
Smith may be, know, possess or live nearby

What would be your answer?

My answer, in the case of the proposed method, is that
it could be whatever John desires: (a), (b), (c), (d) or even all of the
above at the same time. And security would not suffer, neither regarding
John's interests nor regarding a third party's interests.

This motivates two very important points, that should be allowed in the
system:

Referent-Centered: Clearly, the referent himself is the closest
person to himself and the best one to know his own sense and references
... which means that each person is better able to define his own references
so that they can maximally aid the connection between sense and reference
and not hamper it. For example, choosing one's own common name is helpful
because it allows that name to be naturally linked to the legal capacities
associated with one's own common name. And, conversely, the referent himself
is also better able to define an 100% uncorrelated pseudonym, if he so
desires to preserve his privacy by anonymity.

Self-Assigned Names: Pseudonyms can be useful to allay privacy concerns
in some cases. Artists and authors are known to use many different names.
In some countries such as the UK, one can change names at will and none
is less legal than another [7]. This does not speak against
self-assigned names (such as we are considering here) but supports them.
After all, it only depends on you to change your self-assigned name --
or nickname (not some key that you may have to keep because gazillions
of people have it).

Thus, it is a mathematical fact that entities can share any number of like
references and yet each one can be uniquely identified by their sense.
The question is, how to convey the different senses?

To show how that is possible, one first needs two Lemmas:

- Lemma 1: item A.4.3 proves that certificates
can fully carry references, but not sense -- not even partially and however
minute. While this provides an irrefutable mathematical reason for
the total uselessness of certificates to convey sense, it also shows that
certificates can wholly contain the name's reference -- securely and as
detailed as needed.

- Lemma 2: item A.4.3 proves further that the link
between reference and sense is provided by "proper trust", an essential
mathematical property in communication systems (as defined
by
the author in Information Theory terms).

Thus, as mathematically proved by the two Lemmas above (even though
already intuitively felt by many), a certificate is only meaningful (i.e.,
has meaning or, sense) when there is some degree of trust associated with
its signature and, each one of the certificate's data is meaningful
inasmuch as it is atomically trusted to some extent. Which points out the
key role played by trust in certification, in spite of the rhetoric being
usually centered on the syntactic aspects of its encoding, cryptography
and name schemes.

So, an entity's name can be ambiguous while the sense is not. References
can be wholly and securely transported by cryptographic certificates. However,
any reference, including what may be referenced in the certificate's legal
"four corners", cannot be linked to sense unless one uses "proper trust".
However, how can that be deemed useful, when contacting different referents
that have the same reference?

This question leads to the essential role played by crypto in TSK/P
to provide for reliable communications, which is not only a basis for certification
but is also needed for encryption/decryption.

The final step is simple. Clearly, one hundred people could share exactly
the same name and e-mail address and yet each could receive and send unique
and private messages by using different crypto keys.

Regarding the issue of key uniqueness, it is well-known
that a public-key of sufficient length is usually considered to be statistically
unique with a very comfortable margin. For example, the number of prime
numbers of length 512 bits or less is about 10^150, which is 10 followed
by 150 zeros. So, public-keys of 1024 bits which depend on the product
of two random prime numbers with 512 bits each can be generally considered
to be unique, even if asynchronously issued by a large number of independent
entities.
Now, even though common names are just references, they are however good
hooks for those keys. But if you go to the wrong hook by mistake or because
of name overloading ... no problem, the key will differ.

So, the bottom line is: with TSK/P, each person is free to improve upon
his own visibility or ... switch on an invisibility cloak. The TSK/P method
allows any user to control the syntax of his own names. Which is valid
for any "symbol" or "name" such as common names, e-mail address, DNS addresses,
keys, key-hashes, etc. -- without any adverse effect on security in regard
to a third-party but with several beneficial effects regarding one's own
security and privacy.

Thus, contrary to widespread belief, there is no reason to demand unique
common names or addresses in order to afford identification or Internet
security, because names do not identify. The world can continue to use
its historical practices. Clearly, if something or someone has a globally
unique name then, that is advantageous just like a globally trademarked
name is useful -- by providing zero collisions. But, as above, any number
of name collisions can be handled by proper semantics, proper trust and
proper cryptography.

Attacks:
Regarding the issue of unique keys, what could happen
in the case of errors, collusion, virus attack, simple theft, etc. in which
one's private-key is compromised without anyone noticing it? Since
a key must always be treated as a name (i.e., a symbol in semiotics) then
the same reasoning used above for common names applies to keys -- in TSK/P
one must always suppose to be properly dealing with an unknown number of
n-plicated keys, common names, key-hashes, etc. In other words, TSK/P's
security must neither depend on keys being unique nor on any other
reference being unique -- by hypothesis.

This is a very important point. The security of
TSK/P is semantic -- which presupposes that its three parts must work in
cooperation: "proper semantics", "proper trust" and "proper keys"--
and not just one part (e.g. keys or unique common names) or even
two parts (e.g., trusted keys, trusted common names). A TSK/P user
should be able to detect a key-collision (e.g., duplicated by mistake or
crime) by using that key together with "proper semantics" and "proper trust"
-- as long as properly allowed by the protocol (see item A.4.6
), of course. A more subtle problem is that of avoiding eavesdropping,
e.g. which may occur after an unnoticed security breach that compromises
one's private-key. This question should be solved also by a combination
of the three components of TSK/P -- for example, by periodically
renewing proper trust and keys as a function of cost and risk. Thus, the
TSK/P method does not treat keys as the one and only security barrier,
neither assumes keys to be unique and valid a priori. In fact, since
the method is based on an interplay between <semantics, trust, keys,
pragmatics>, key uniqueness must also be subject to the method's
proofs and management.

Clearly, the TSK/P method presents also a side benefit of enforcing by
protocol at least some minimum form of point to point cryptographic certification
and encryption in day to day communications -- which would tend to make
it essential and thus to be accepted by law and granted worldwide as everyone's
basic right to be identifiable, since there is no other technical solution
(the paper proves in items A.4.3 and A.4.6
that biometrics and even bio-implants cannot provide a solution either).
To the effect that privacy and security can come as a bonus from the technology,
allowing communication engineering to correct telephony's mistake of providing
easy access to security and privacy breaches. Which solves the historical
flaw in public-carrier communications: they are also content-public, with
eavesdropping built-in.

There are other benefits to this approach, not the least being the "household
effect" -- where crypto can become a household word and thus deserving
to be widely accepted without the psychological blocks that derive from
its historical use by criminals, spies, and other despicable abuses.

As an example of technology's reach by the household effect, not long
ago possession of a simple radio receiver had to be registered with proper
authorities in some countries and possession of even weak radio transmitters
demanded a license -- possession of a transmitter was viewed with suspicion,
criminalized. But with transistors it became evident that any $5.00 could
allow one to make either a receiver or a transmitter, which lead the way
to its present better and un-criminal status. The same can happen with
crypto, as it can cost less than $5.00 and can be as essential to day to
day life.

It depends on the technical community to show that to the general public,
communication companies, e-businesses, and governments. Crypto is in everyone's
best interest and, when linked with "proper trust", can completely solve
the current name and address ambiguity that plagues the Internet and e-business,
while providing both an irrefutable reason and a good argument to restore
privacy to one's private communications.

To those that may argue that "proper trust" is not so easy to grasp
and is a weak point, it is easy to point out that this is not a feature
of the method, but a feature of sense. Sense cannot be transported in certificates,
even if the certificate includes a thousand references and even if you
have a thousand certificates, all from different issuers. The paper provides
a full mathematically rigorous discussion of why the referential theory
of meaning fails, as initially proved by Frege, and why certificates can
just transport references, never sense. Thus, certificates have no meaning
per se -- even with so-called unique names, notwithstanding the names being
local or global. And, clearly, when we consider the names we have in the
3D-world (i.e., common names) as compared to the ones we have in the cyber-world
(i.e., keys, e-mail addresses, etc.) then we notice that the link between
sense and reference is missing in both worlds -- not just in the
cyber-world as often expressed.

To finalize:

Certificates, names, addresses, etc. are just references which have zero
sense when transported to you,

Surely, they may have had the expected sense at the origin (e.g., Verisign)
and they may have had the origin you think they had (e.g., Verisign) --
but you cannot prove it just by looking at those byte strings that you
received ...

To recover the connection to meaning, there is only one way: you
need to use trust to relink reference to meaning.

This basic procedures already happen today -- we just have to exploit them
maximally, to our benefit.

Of course, the same thoughts can be clearly applied to any other
situation that needs identification -- for example, routing, e-commerce,
credit-card protocols, rights management, etc. Thus, it can be applied
to DNS addresses for example, allowing WWW sites to be reached by sense
and not by reference. This will be discussed elsewhere.

2. Can keys or key-hashes be used at par with common
names, for entities? Since common names are temporary, can keys be used
in lieu of common names?

No.

The initial question is not whether common names or keys are temporary.
Nor whether they are equivalent because they are temporary. But, what are
their time scales. The Earth is temporary ... but that does not bother
us at all because we live on a different time scale. Keys live on the time
scale of weeks and even days or hours or minutes -- while common names
last more than a lifetime (as testaments show), can be back-traced and
remain legally valid even if legally changed and can be useful for centuries.
Thus, key-hashes (or, keys) and common names are not similar regarding
their lifetimes.

But, there are further reasons to consider common names and key-hashes
(or keys) as different concepts altogether and, thus, not interchangeable.

Common names are traceable for generations (even first names and whole
names, as families usually repeat first names, add I, II, III, etc.) so
names have a tendency of being somewhat better if repeated, whereas hashes
and keys are very ephemeral and we certainly do not expect them to be better
if repeated. Thus, a repeated common name gives confidence (i.e., conveys
trust) over time but a repeated key or key-hash immediately flags rejection
after some time.

Further, reliance on a cert should increase if the cert contains a common
name that is old (i.e., known beforehand) to you and that you can independently
contact and thereby confirm the cert. However, reliance on the cert's validity
must decrease with time, as discussed already. Besides, common names
carry an inherent legal value which is essential in some cases --
such as in credit-card transactions, wills, etc. -- whereas keys
or key-hashes do not represent any inherent legal capacity of their beholder.

Another point, and using the influential work of Leshniewski (ibid.),
is that common names can be seen as members of a collective class while
keys and key-hashes can be seen as members of a distributive class:

distributive class: when a class expression is identical with a
general reference, thus to say that a "DSS-key" belongs to the class of
DSS-keys is to say that "DSS-key" is a DSS-key. This class obeys all
the theorems of traditional Aristotelian logic and logical algebra, as
well as the logic of sets and relations. Members of a distributive class
are described by ontology.

collective class: when the whole is conceived as physically constituted
by its parts, thus the class of all entities called "John Smith" consists
of the entire collection of them. Hence, collective classes obey a general
logic theory of the relation between part and whole. Members of a
collective class are described by mereology.

Which sets {common names} and {keys, key-hashes} fully apart as to their
logical properties and to the logical rules they obey. This
is a basic result and the lack of its observance leads to strong paradoxes,
such as Russel's Paradox. Thus, it is not logically allowed to suppose
that common names, keys and key-hashes have equivalent properties. One
cannot treat them at par with one another in logical expressions, nor substitute
one (e.g., common names) with another (e.g., keys or key-hashes) interchangeably.

Thus, keys or key-hashes cannot be considered at par with common names
or in lieu of them -- they are objects, but of a different sort. They have
different communication purposes, different lifetimes, different trust
conditions and they belong to different logical classes.

3. What is a name? What does it reference? What
does a name mean? When I communicate over the Internet with an entity that
has a common name given in a certificate, what can I suppose about the
entity if I rely on the certificate's given common name?

(For an application of these concepts to Internet semantic addressing,
called the TSK/P system, see item A.4.1. However,
the needed theoretical backround is provided here.)

In the famous Lewis Carroll passage, one can read:
"When I use a word," Humpty Dumpty said in a rather a scornful tone, "it
means just what I choose it to mean -- neither more nor less."

Perhaps, one's tentative conclusion is that when one exchanges communications
with an entity that uses a common name, one generally relies on being able
to find behind that name either a particular mind or particular assets.
This thought implies a referential model of meaning, similar to Plato's
view of referential forms.

To investigate it, suppose we express the general concept of a name,
as a sign or a symbol -- e.g., my name is a symbol for myself. Then,
for example, if you see footsteps on the sand (i.e., a symbol, a name)
then you generally rely on the existence of someone that walked by (which
is the meaning or cause of the footsteps), or, if you see smoke (i.e.,
a symbol, a name) you rely on the existence of fire, and so on. Or, as
in the above question, you expect to find a particular mind or particular
assets that have a causal relationship to the name and which provides meaning
to your communication.

However, this model breaks down as I exemplify later on and Frege [17]
has shown around 1910 in Germany. He began his reasoning by asking the
simple question: "why is it that a=b is informative whereas a=a is a truth
of logic and can be known a priori?"

Frege's solution was the distinction between sense (Sinn) and reference
(Bedeutung), The names "a" and "b" above have the same reference
"a" but differ in sense. Paraphrasing one of Frege's examples, if
I tell you "I will photograph the Morning Star" or if I tell you "I will
photograph the Evening Star" then, clearly, the two phrases have
the same reference (i.e., the planet Venus) but one describes it as the
last celestial body to disappear at dawn and the other as the first one
to appear at dusk -- thus, they have different senses or meanings.

In general, these concepts are defined in an interdisciplinary area
pioneered by Frege and which exists between philosophy, logic, mathematics
and linguistics -- which is usually called either semiotics or semantics.
The main definitions we need here are:

Sense: the thought expressed by a phrase as given by its truth conditions,
the conditions under which it is true; the semantic value of a phrase or
name; meaning; connotation; an essential property of a thing. I consider
sense to be utterly intersubjective -- albeit often treated as approximately
objective (as abstractly done in the praxis in some cases). Since sense
is essentially intersubjective, sense depends on the observer (the study
of the interactions with the observer and the environment is called pragmatics
in semiotics) -- hopefully weakly.

Reference: the truth value of a phrase, its situation; an object;
the syntactic or direct specific value of a phrase or name; denotation;
the totality of things to which it applies. Reference is objective.

Which leads to the following properties, some of them proved here:

one reference can have any number of senses, including zero

one sense can have any number of references, including zero

Now, to use an Internet example, it is possible to have phrases that contain
a precise reference but which do not have meaning, such as "John's public-key
is A56B..". This phrase has a definite truth value (i.e., reference) and
expresses a reference for John's public-key. However, from that phrase
alone we don't know the conditions under which it is true (i.e., sense)
because we don't know to which John it refers to or even if there is such
a person. Thus, the phrase has no meaning by itself, regarding Internet
communication. In other words, knowing the truth value of a phrase (i.e.,
its reference) is not sufficient to understand it (i.e., be informed about
its sense). It is also possible to prove that it is not necessary either:
"knowing all possible references of a phrase is neither necessary nor sufficient
in order to understand its meaning".

Applying this to certification and using Shannon's concepts from 1948,
I point out that the difference between "a=b" and "a=a" is simply
that the first represents a transfer in a communication channel that links
past to present, whereas the second represents zero transfer. Since
information is what is transferred from source to destination (i.e., information
is what you do not expect) then the first statement is informational and
the second statement is clearly always expected. But Frege did not
know this in 1910.

However, if we ask the question: "what is a name in a digital
certificate?" then we can see that the name is a reference (i.e., Frege's
Bedeutung) which can be wholly contained in the certificate even down to
any desired minute data in any language or form ... and thus wholly transferred
in the cert -- which corresponds to "a=b" and the cert is informational
regarding such reference. However, the name's sense (i.e., Frege's Sinn
or meaning) cannot be contained in the certificate at all and cannot thus
be transferred. If it could, then the cert would be self-referential
to that referent, which is not informational and represents "a=a" -- "I
am myself". Thus, sense cannot even be partially contained in a cert, otherwise
that part would provide a self-reference to some part of the referent.

Which points out the futility of trying to devise name schemes however
clever, with biometrics, bio-implants, GPS satellite-data and so on
-- which would try to allow a name's sense to be contained in a certificate.
Further, it is neither possible to transfer the sense of a globally unique
name (e.g., X.500) nor the sense of a local name (e.g., PGP, etc.)
-- because the problem is not the name being local or global, but the lack
of capacity to transfer sense in general.

The same reasoning can be applied to keys or any other symbol which
may be contained in a certificate. One can never, even partially, transfer
sense (i.e., meaning) in a certificate but one may wholly transfer references.

Thus, we must recognize that certificates can contain reference information
in varying degrees of completeness, but not at all the corresponding sense
information that can allow such references to be meaningful -- hence, which
would be essential to the receiving party if some degree of reliance is
to be placed on the usage of the transferred references. There is a missing
essential connection between sense and reference.

However, since certificates represent a communication channel between
entities, past and future, it can be recognized that the missing connection
between sense and reference can then be provided by "that which is essential
to the communication channel but which cannot be transferred through that
channel" -- as trust is defined (both in the context of social trust as
well as process trust) and hereafter
understood to be qualified as "proper trust".

Further, proper trust (process or social) allows one to inverse the
process and use the references transferred in the cert in order to reach
back to sense -- thus making the received data not only cryptographically
secure but also meaningful.

Moreover, I can perhaps say that the sense of a complete certificate
is the proposition or "thought" expressed by it -- paraphrasing Frege --
where "thought" is not something private or psychological, but essentially
communicable and which must include sense and reference.

"Speakers of the same natural language communicate with one
another-- they trade contents, not uninterpreted strings of symbols --
i.e., there must be communicable content which is conveyed in discourse. The proposition expressed by a sentence, Frege maintained,
is explicable in terms of the conditions under which it is true
- its truth conditions. To grasp the literal content of a
sentence I must know under what conditions it is or would be true.",
which exemplifies that communication (i.e., "thought") is not just information
(i.e., "what you do not expect"), of symbols (i.e., "references") without
meaning (i.e., "sense"), but needs also trust (i.e., "what you know") in
order to connect reference (i.e., form, syntactics) to sense (i.e.., content,
semantics).

To practically illustrate these concepts, the reader may read the former
paragraph in its various possible meaning combinations (as given inside
the parentheses), forming different phrases which will need to be seen
as a whole in order to convey the intended "thought" -- which could not
be possibly done in just one modal form with a singular choice for each
possible set of references. For example, a few derived phrases are:

communication is not just information, of symbols without meaning, but
needs also trust in order to connect form to content, or

thought is not just information, of references without sense, but needs
also what you know in order to connect reference to sense, or

communication is not just what you do not expect, of symbols without meaning,
but needs also trust in order to connect syntactics to semantics.

The last phrase points out that Shannon's Information
Theory fails to provide a theory for communication and explains why
Shannon's 10th Theorem [Ger97] breaks down when the
abstract trust definition is applied to a communication process -- and,
that is why I prefer to call Shannon's remarkable work "Information Theory"
and not "Mathematical Theory of Communication" [Sha48]
as he himself called it. The present trust theory belongs therefore into
a larger "Communication Theory" which is then able to model and represent
actual communication -- as that process which is able to trade contents
between parties, "thoughts" in Frege's words. Which Theory (with all its
syntactic and semantic parts) finds its need and expression in the Internet,
as a prime medium to allow virtual synapses and virtual memory -- a living
virtual collective brain if we follow the autopoietic definition. It was
once said: "there is nothing more theoretical than a good practical problem".
The practical problem of Internet certification is showing that. For example,
we may go further into our metaphor of the Internet as a virtual macro-brain
and consider how "macro-thoughts" can be represented and recognized in
such structure, what is the collective "mind" that produces
such "thoughts", how is the "mind" linked to the "brain", and so on. Which
may allow cognitive theories to be tested and help improve the Internet
-- as a medium for communication and not just for information transfer
between cybernetic agents. Nowadays, cybernetic agents are beginning to
wake up to sense acquisition -- autonomous vision and control, learning
in neural nets, natural language processing, biometric interaction, etc.
-- but they still need to develop mechanisms for sense transfer between
different cybernetic agents, human agents and their respective environments
-- which will possibly depend on the present concepts of trust in communication
systems and its natural interplay with social trust (see items A.4.7
and A.4.1).
To summarize all results obtained in this item:

sense and reference are overly-variable in relationship to one another
and it is not possible to derive sense from reference, as intended in a
referential theory of meaning,

sense is utterly intersubjective while reference is objective, which alone
speaks for the lack of a causal connective between them,

sense and reference must be treated as two fully independent variables
when one wishes to transmit or receive "thoughts" as expressed in certificates
and Internet communication,

Internet parties can communicate with one another by exchanging sense and
reference in varying degrees according to need,

certificates can allow references to be securely transferred between communicating
parties,

if the parties need to trade meaningful contents, not just references,
then trust is needed to link sense to reference.

Thus, trust is not only essential for the cryptographic meaning (i.e.,
providing for valid origin authentication and data integrity authentication)
of the certificate but also for the non-cryptographic meaning of each of
its atomic parts -- for each of the names that it may contain, such as
common names, keys, hashes, etc. Clearly, given the general context
of the present treatment, the same applies to any communication process,
whether on the Internet, over the phone, postal mail or even person-to-person
-- where trust is likewise essential to provide for collective as well
as individual meaning. For an application of these concepts to Internet
semantic addressing, called the TSK/P system, see item A.4.1.

4. In commerce there is probably a greater emphasis
on assets, and in social matters the mind is often more significant; but
the emphasis varies. A lawyer's client may want the fruits of a particular
mind, and may become irritated at the suspicion that letters signed by
the lawyer are really prepared by an inexperienced colleague (a case of
the mind being more important than the assets in a commercial context).
Are unambiguous names useful here?

No. This is sense, not conveyable in a cert. This question exemplifies
a lawyer's office common situation and is particularly useful to motivate
how one can distinguish between the Morning Star and the Evening Star (different
lawyers in sense but equal in reference to the client, see Frege's example
in A.4.3) that work in the same office and may legally
sign the letter with the other's text -- however with one's key. This is
similar to the confidence-leak problem mentioned in [5]
-- which has no solution besides trust.

5. In a will or a transfer of property, the testator's
assets or the transferor's ownership of the asset are the prime concern.
In correspondence with a friend, it is the identity of the friend that
matters. Time causes all these things to decay. The lawyer whose
mind you want when he is in his prime becomes perhaps a friend when he
retires, and a duty when he becomes senile. The client whose instructions
you valued when he could afford to pay you becomes perhaps a friend but
not a client when his means decline. Can unambiguous names help here?

No. These are also all sense.

6. One must emphasize the extraordinary flexibility
of the requirements which are served by the use of common names and related
identifiers. There is a danger here for the creators of protocols,
that they will (deliberately or accidentally) use ordinary words and familiar
concepts in ways that have been artificially restricted by special definitions
to fit them for their purpose in the context of formal structures; and
that as a result they will mislead users of the protocols about what they
really do or can be used to do. What can be done in this regard?

We need to abandon the referential model of meaning, as I commented above.
So, a common name is a reference which may have varying degrees of meanings,
even multiple and even none -- which is all perfectly fine and has to be
handled, not artificially ironed out. Reference and sense must be treated
as essentially overly-variable quantities, from the start. To suppose otherwise
is to fall prey to a series of fallacies.

The protocol issue is also important because a protocol can be seen
as a means of expression -- a language. Which includes syntactics and semantics,
but for complex expressions and not just for atomic names. Thus, both the
protocol's syntactics and semantics must be expressive enough -- i.e.,
must allow all possible variations and needs of sense and reference in
a fair and secure way. The certificate itself, as a complex object formed
by various names, can be seen both as a result of and as an input to the
protocol, i.e., as being expressible and intelligible in that language.
This connects directly with the question above because one must be very
careful as to what the protocol biases or limitations might be -- as expressed
in the protocol language. For example, if we invent a language where one
can count only until 5 and thereafter it is just indicated as "many" (e.g.,
as in some tribes) then, clearly, some actions might not be auditable
at all in that language.

Protocol issues represent a further influence of pragmatics
(a branch of semantics that deals with the relation between references
and observers, including the environment), besides the interpretive value
associated with the observers (i.e., the dialogue parties) and which defines
the semantical values of the expressions.
So, the above question and others on the same vein have their roots in
one question:
Are the intended meanings (ie, from the designer, from the issuer,
from the standards, etc.) equivalent to the perceived meaning?
This question, clearly, has no knowable answer and has not a unique approximate
answer either. It is heavily intersubjective in many linkages that include
semiotics (syntactics, semantics, pragmatics), trust, cryptography, information
theory, law, psychology, etc. However, as the original question motivates,
we need to approach its subject otherwise we just have a bag of bytes,
references without sense.

This can take us to consider "effectiveness" in contrast to "correctness"
(IPSEC) under a new light: trust and semantic effectiveness must be taken
as first design considerations and not added on, as a modulation on a carrier.
They make up the vehicle for information -- the carrier itself. They are
not the final spices in a recipe. They are the assumptions.

But, some may ask, how can we objectively deal with something we can't
completely measure?

In the same way that we deal with fingerprints, voice recognition, noise
cancellation, and control in general. It can be argued that we can never
precisely measure any control variable because not only the act of measuring
itself interferes with it but also because of the finite time that must
pass between measurement and the actual use of such measurement.

In that case, while some may wonder what would be the BEST token (e.g.,
biometrics, smart-cards, PINs, challenge-response queries, etc.) to be
used for certification, we need to understand BEST as "By-Example Some
Token" -- and not that any token is more significant than any other by
itself. It all depends:

on the meanings a token may have on both sides of the communication system,

how similar both meanings are, as measured by some commonly agreed metric
function, and

how tamperproof and (possibly) private (1) and (2) are in the environment
and presumed attacks.

In all that, the token itself was not cardinal.

The solution to the points mentioned in the original question is thus
to recognize that while one needs reference and sense in order to communicate
one's thoughts -- names and certificates can only convey reference. Thus,
sense must come from another channel, which can be a tertiary channel
such as a CA or a binary channel such as to be provided by the MCS.

The main points are:

Communication depends on the perceived sense and reference of exchanged
propositions

Sense expresses the truth conditions of a proposition; sense is intersubjective

Reference expresses the truth values of a proposition; reference is objective

Or, sense cannot be linked to reference by other references, no matter
how many and multifarious

Names, common names and certificates only convey references

Trust's unique role is to provide a link between sense and reference: <sense,
trust, reference>

Trust allows one to trade contents, not uninterpreted strings of symbols

Trust is needed for certificates as a whole and also for each of its atomic
parts (names, common names, keys, etc.)

Trust is needed for any communication process, because information without
trust is devoid of meaning (i.e., sense)

Trust has subjective, intersubjective and objective components -- as a
multivector of arbitrary dimension.

Application of the trust concepts to names shows further that common names
can be repeated at will in certificates for different referents, as long
as the recipient is able to calculate the right truth conditions for the
name, not just the right truth values.

This further shows the irrelevance of the present discussions on how
to guarantee unique names, whether global names are needed or desirable
vis-a-vis privacy concerns or, if local names are better or worse than
global names.

7. Suppose that indeed we don't need unique names
or addresses for the Internet -- crypto and trust assignments can solve
it. But, what happens outside the Internet, in the 3D world? It seems that
outside the Internet, genetics and social trust can also solve it -- and
genetics is even better than NP-secure. Now, it seems to me that
there is a measuring process, for metrication, which is missing here
in this meta-process. How could that be explained and compared?

(The author acknowledges contributions from other MCG participants
in this item)

The news is old: cyber-world and 3D-world will just converge -- as everything
else!

Regarding cyber-world misconceptions, some think that
by escaping names one can escape reality. Others think that
credit-cards deals would not need names or any real-life id, just assets.
Surely, the merchant gets paid regardless, even if you use a false name.
But this is not the end of id fraud. The bank still goes after the money...and
uses the law against fraudulent practices to enforce the cardholder agreement,
or criminal statues. If Mr. X uses his wife's credit-card, Mr. X is technically
committing id fraud, and wire-fraud. Of course it works most of the time...
But when it does not, and someone comes enforcing, someone will ask, did
you Mr X, uses Mrs X's credit-card, and represent yourself thereby as Mrs
X? Some claim: Oh, but this is a brave new world! It's cyber-world!
New life! However, history has taught us over and over again that
the new has an uncanny resemblance to the old...
The basic mechanisms will converge first and then the overlap will increase.
Those on one side that defend yet newer laws and those on the other side
that defend yet newer escapes from reality will see that truth lies in
the middle. Don't people cry over fiction love-dramas on TV? Don't people
get angry over e-mail? Do we know of any medium that is as emotional as
the Internet? Much more than in phone conferences? Funny enough, when emotions
are lacking, we fill them in...perhaps to a larger extent. We overshoot
the control target, fearing that our voice might not carry enough strength
to the other side!

The author's opinion is that success in cyber-space, either as a user
or as a developer, will depend on our success to re-use and re-cycle what
we have already done -- and when that is not possible, then by shamelessly
mimicking what we already know.

And, this is easy to see.

In the cyber-world, sense is linked to reference by process trust. In
the 3D-world, sense is linked to reference by social trust. [19].
Thus, in the cyber-world, transactions are based on your reliance on three
quantities and their metric relationships:

<crypto-strength, law, process trust and>,
in the 3D-world transactions are based on your reliance on three quantities
as well, and their metric relationships:
<genetic-strength, law, social trust>.
It is perhaps to be expected that these separated spaces will gradually
intermingle, as our lives move on to cyber-space and people get used to
cyber-life in the same way that people got used to voice mail, for example.
This means that the above mentioned metric relationships will also intermingle
their dependencies, depending now on enlarged sets of four quantities each:
<crypto-strength, law, process trust, social trust> and
<genetic-strength, law, process trust, social trust>
so that it will become more and more very important to have compatible
models for the cyber-world and the 3D-world, because the borderline between
a social physical encounter and a social cyber encounter will become very
thin -- very thin indeed.
The point here is that yes, we have strong credentials
in both worlds... but such credentials are "names" (ie, symbols in
semiotics) and have no pre-defined sense to their references. Bottom-line:
the link between sense and reference is missing in both worlds --
not just in the cyber-world as often expressed. In other words, even
outside the Internet your body characteristics per se are not useful --
you still need trust to link that "body of data" (literally) to you
... even if you do not have a twin brother, or a clone. Which (see
also item A.4.3) represents an eloquent warning sign
for the indiscriminate use of biometrics, today touted as a future self-secure
certification method. Biometrics will still only provide references, not
sense -- so biometrics still needs trust to link sense to reference, like
any other certification system. Biometrics is not self-secure.
It will become less and less important to you if the deal was finalized
in 3D-space or cyber-space -- as long as and insofar as you have enough
<process trust, social trust> to allow you to rely on <law> to enforce
the credentials provided by either <crypto> or <genetics> or both.

In other words, it is not so important if the credentials are social
(i.e., reliable person to person contact, based on secure genetics such
as physical appearance, voice intonation, etc.) or process (i.e., reliable
entity to entity contact, based on secure crypto keys, unforgeable
certs, etc.) in their origin. Far more important is if you can trust those
"secure keys" and (often forgotten) if you can trust that entity
for the purpose you have in mind (e.g., business). The entity may
even be a machine or a pool of machines, a person or a pool of persons,
for all you need to care.

This is what is meant by the perspective of both worlds intermingling.
It is perhaps not far fetched to imagine that this is similar to the intermingling
seen between the different worlds exemplified in a lawyer's office, where
trainees answer letters and lawyers sign them -- and where clients trust
such letters from "their" lawyer.

The main point is that as cyber and 3D worlds converge -- the differences
will decrease... not increase.. which will make it easier just to mimic
what we already have, as much as possible.

And, what do we see on the 3D world? Do we see one giant ID? No, we
see several specific IDs, from county libraries to passports, several credit-cards,
several phone cards, etc. -- all locally issued. And, there is good reason
for it, privacy being not the most important for most cases -- but sheer
need. That is why centralized certificate issuance (i.e., CAs) and
centralized data control (i.e., hierarchical PKIs) run counter to our experience
of what works. That is also why it is more intuitive to think that certificates
are trusted because they certify (the subjective stance) and not that certificates
certify because they are trusted (the objective stance, wrong).

Of course, any transition is difficult, painful. Indeed, this seems
to be much more than just a question of investment strategy. However, the
evolution of law and process will, perhaps, be swamped by the evolution
of need.

Recently, to provide for more needed DNS real-state,
one country decided to create first-level Internet DNS domains that would
"express the owner's professional title" by three-letter abbreviations --
as if local three-letter DNS syntactics could self-certify the semantics
of a DNS user to the whole world. Further, since DNS names are not
a taxonomy but a mereology, DNS is hierarchical only in the sense
that the totality of names in the tree is a hierarchy, but there
need not to be any meaningful relationship between names at any level of
the DNS name tree. Thus, this just demonstrates a common parochial view,
where technical DNS details are ignored, a local context is
believed to be global and where spoofing, forgery, collusion, error, revocation,
viruses and other global maladies are considered to be deterred by local
law.
We all share the same network. However, we have no global law. Thus,
we have, at least, to preserve global processes and semantics.

Semantic security (ie, meaning assurance) will perhaps take the
heaviest blows in this transition to a global cyber-life -- as different
parochial needs start crying for solutions. However, if we allow semantic
security to decrease, no amount of syntactic security (e.g., certification)
will do.

Which is why one may think that <process trust, social trust> will
become increasingly important -- because they provide for meaning. Not
only which certified key you have but ... what does it mean? Not
only if the certificate is valid but if it has data which you can
rely upon for some purpose you want.

Further, the author takes the stance that as the Internet experiences
increasing media and protocol convergence -- people and machines
will suffer massive security risks!

What was safe in separated and sanitized environments, will become security
risks when they are not separated anymore. The number of interfaces will
increase, so that different systems that were never thought to be in communication
will be. A hacker in Israel will find himself a way to a US Pentagon computer
-- which was otherwise safe inside the Pentagon. Your files in your "trusted"
computer will be suddenly snatched and sold for money, to information harvesters.

Thus, certificates, for person and machines, will be needed for a great
number of deals. Your data will have to be at least origin authenticated,
not to say about data integrity authentication and encryption -- for several
things worth doing. The level of indirection will not decrease and semantic
addressing with encryption can also provide a solution to ambiguous addresses
and names (see A.4.1).

Bottom line: yes, more certificates, more issuers, more subjects!
Certification needs will escalate and current systems cannot provide an
answer.

8. I think one can go further than names, in
this model of sense and reference. I think the meta-process of metrication
above is similarly characterized generically by the sense and reference
distinction. Is that what permits the operations to span process world
and social world? In other words, what allows the metric operation in
the cyber-world to be useful when calculating the metric operation in the
3D-world?

What permits the operations to span both worlds is the real-world model
of trust, where you can seamlessly move from one domain to the other and
keep the same concepts while with a different focus. That is why it was
important to have process and social trust as isomorphic concepts. In the
question, yes, it is correct to talk about a reference for the metrication
process and that is provided by the real-world model of trust -- while
such reference has two different senses which are expressed by one metric
for each world (i.e., cyber- and social-world).

Anything can be characterized by the distinction between sense and reference,
not just names and metric functions. Specially interesting for the Internet
are signatures, keys, authorizations and methods (i.e., algorithms and
protocols) in general. So, it is important to discuss the sense of an authorization
for example, and not just its reference as expressed in a certificate.

9. What are the insights gained by this meta-process
of name assignment?

In a nutshell, certs can transfer reference, not sense. Even though sense
may be dormant in a cert, so to say, it cannot be self-referenced in certs
-- not even partially, not even for a very small part. So, there must be
a another connection between sense and reference -- which must be knowledge,
not information (see the lamb story in Item 4 of the
main section). Such knowledge must be relied upon to some extent/purpose/time
and can be proved to be trust (see item A.4.3
for the proof). So, trust allows sense to be linked to reference within
some extent/purpose/time assumptions -- e.g., as defined by your trust
multivector.

Regarding the TSK/P process (see item A.4.1), for
Internet communication irrespective of ambiguous names and addresses, one
can summarize the main issues in a few points:

Names contain reference and sense -- names are "common names", "keys",
"key-hashes", anything in a cert, including the cert itself,

Sense does not like to travel. Once you receive a name over the wire (e.g.,
a cert) then you have lost the sense -- you just have the reference,

To relink the sense, references will not do -- no matter how excellently
looking and how many,

Trust is the only glue that allows you to relink reference to sense,

How you acquire trust is entirely up to you -- but trust also does not
like to travel,

Since names in certs are just references without sense, then it is meaningless
to insist on their pretended uniqueness and spend efforts on "clever and
better" schemes which will nonetheless never work.

Names in certs cannot identify you because they have no sense. To say otherwise
is to contradict a mathematical fact known and accepted since 1910.

By a mixture of "proper semantics", "proper trust" and "proper keys"
(TSK/P) it is possible to use any common name or e-mail address to achieve
reliable communications irrespective of name collisions, with security
and privacy.

Crypto plays an essential role in TSK/P, by affording both certification
tools (e.g., cryptographic signatures that provide for origin and data
integrity authentication) and encryption -- which shows that crypto is
a basic component of communication systems, not an optional luxus.

Individuals can be identifiable worldwide, irrespective of name or address
collisions. Pseudonyms are freely allowed.

The TSK/P method does not treat keys as the one and only security barrier,
neither assumes keys to be unique and valid a priori -- in fact, security
is provided by an interplay between <semantics, trust, keys> and key
uniqueness is also subject to the method's proofs and management.

10. Defining trust as "trust is that
which is essential to a communication channel but which cannot be transferred
from a source to a destination using that channel" seems to be somewhat
inconclusive. This definition would apply equally well to my modem.

Ye spake a truth!

Let's see 3 cases of it, each one chosen so as to try to illustrate
an important aspect of such truth:

CASE A:

Consider a communication channel that needs as an essential part of
it a property X [1] which cannot be transferred through it and which
includes your modem. Then the definition applies equally well to your modem
and your modem has trust -- ie, you are using your "trusted modem with
property X" [2]. What "trusted modem with property X" means? It means
that for information transfer, the other party and/or you will need out-of-band
information on property X of your modem for some essential property, as
evaluated according to him and/or you.

Note: it's important to see that trust is always relative to the observer.
So, if you use a trusted modem then it means that it may be trusted to
you and/or to the receiving party, with possibly different connotations.
In other words: who is to decide "what is essential to a communication
channel but which cannot be transferred from a source to a destination
using that channel"? -- the observer, which can be the source and/or the
recipient.

[1] X: your modem and its properties, which can be anything that cannot
be transferred using that channel and that is essential to it as
judged by any or all of the parties (source and/or recipient), such as:
the guarantee that your modem itself was used (not Peter William's for
example), the
guaranteed noise limit levels of your modem, etc.

[2] i.e., your modem that has property X, in that channel,
according to the source and/or the recipient.

CASE B:

Now, if your communication channel (we have to be a bit flexible here
as to what one considers communication -- after all, neither Shannon nor
the author have limited communication to use only electrons as carriers,
or photons, etc.) uses doves as carriers, then probably the modem will
not be essential to that communication channel. However, suppose
that the other party decides that the doves need your modem's nice heat
in order to always be warm and ready to fly on demand to him, without delay,
and that he cannot rely on anything else for that function but that modem
for that channel. In that case, he can also call your modem his
"trusted modem with property X" [2], where now X is defined by [3].

[3] X: your modem that can reliably -- as judged by the recipient --
keep the doves warm and ready to fly on demand, without delay, at the source,
for that channel.

Note: the example above was important also in that it highlighted the
observer's role on trust: the recipient needed trust on your modem -- not
you!

CASE C:

Now consider the case that you need to communicate with a recipient
in the next building which happens to have a window that is 2 meters (7
feet) distant from your window. Suppose next that your only means of communication
is to write your message on your modem and toss it over to the other side.
Now, even though your modem is an essential part of that communication
channel (unfortunately, you may say -- but this is just a Gedankenexperiment)
it can (indeed, it must) nonetheless be transferred from source
to destination using that channel. So, your modem needs zero trust
regarding that channel -- ie, no trust is needed for your modem.

NOTE 1: This case is important not only for the fun of it (after all,
the modem is not the author's...) but because it includes an example where
no trust is needed. What does "your modem needs zero trust regarding
that
channel" mean? Here, it means that when the modem arrives at the destination
then the recipient can rely 100% upon its arrival and does not need any
other channel to tell him that the modem has arrived.

NOTE 2: "Needs zero trust" or "needs no trust" is not the same as "has
no trust". To say that "channel A has no trust for property X" is the same
as to say that "channel A does not transfer trust for property X" -- so,
if you need trust on property X you can't use channel A alone. However,
when channel A "needs zero trust for property X" it means that no other
channel is needed in order to transfer property X, but channel A.

NOTE 3: There are two important facts here: (i) your modem is an objective
reality and its subjective values are not important and, (ii) your modem
had to be transferred. These facts eliminated all need for trust on your
modem, which perhaps further illustrates the definition of trust.

11. Consider the following thought experiment.
I establish an e-mail correspondence with a person who I have never met
before. Over the course of ten years my only means of communication with
this person is through e-mail. Is is possible to establish a property that
corresponds to our term trust as a result?

Interesting experiment. I will answer in three scenarios, the first two
with trust evaluated by you (the source) and the third by the person (the
recipient). The examples were also chosen with a purpose, to help
illustrate how the trust definition can be applied.

Scenario A:

Trust being "that which is essential to a communication channel
but which cannot be transferred from a source to a destination using that
channel", then you must view the channel as a tool and first
evaluate three things:

- what is your communication channel?

- what do you consider "essential" for that channel? This could
be mathematically defined by you as an expression of the relative
certainty desired for your specific security problem and application
context, given all available knowledge you have of the operational
vulnerabilities.

- what is essential for you and yet cannot be transferred
using that channel?

So, suppose (respectively):

- you verify that the e-mail channel goes over a fiber optic
direct cable two point link between your computer and the computer of the
other person you never met before and that the person you never met before
presents you a Verisign certificate class 1 which you always verify
as valid in a 100% effective CRL list and successfully challenge
every time you send e-mail, always using S/MIME encryption with RSA/TripleDES.

- you consider essential that the channel transfers private information,
that is, information which cannot be eavesdropped within TripleDES
limits. Who the other party actually is, or if it is only one party,
or if it is a machine or person, is of no concern to you. Anyone that has
the private-key associated with the certificate is the same for you.

Then, in this case, there is nothing you consider essential that
is not being transferred.

To answer your question: for you, this channel needs zero trust
for privacy. This is a good thing -- no surprises, as commented in the
main section and above for CASE C. (note, again, that "needs zero trust"
is not the same as "has no trust" or "has zero trust")

IMPORTANT: In this case you objectively know that the information
you send in that channel is private within TripleDES limits, even in the
case of a TEMPEST attack, so such trust does not need to be transferred
to you out-of-band. In general, "If property X is essential to a channel,
a party needs no trust for property X in that channel if and only if the
party has self-trust on X".

Scenario B:

In the above example, if you would consider that trust for that channel
would be your recipient's DNA pattern, then you would not have trust on
that channel even after ten years.

Scenario C:

When you are exchanging e-mails you are using one communication
channel. But you actually have more than one communication
channel -- you also have memory channels, a memory being that special case
of a channel in which the sender transmits signals to itself at a later
point in time (such as a 10-year mailbox). Memory channels can be used
to provide for "learning" capabilities in [Ger97],
which is what I will use them here for.

Let us take the same case as above, but from the viewpoint of the other
person. Suppose that the recipient considers "essential" that the party
at the source writes and reads English with proficiency. Of course, this
information cannot be transferred using that channel, because that
channel transfers information and information in Information Theory has
nothing to do with knowledge or meaning -- it needs trust.

This is an example of the paradoxical breakdown of Shannon's
Tenth Theorem when we consider the properties of trust in communication
channels, which leads to an enhanced Communication Theory (some parts discussed
here, but to be fully published elsewhere).
During those ten years the person will use many channels (i.e., memory
channels of different messages) and test the source's English proficiency
for reading and writing (e.g., by using double negatives, different verbal
tenses, wide vocabulary, etc.). He will then develop trust that the source
has English proficiency for reading and writing. The source could be a
machine, you, another person, a group of persons or a visitor from Mars
-- this is
irrelevant to his desired trust.

This example is also interesting in that it shows that trust did not
exist in the beginning but could be built up using multiple channels.

[19] Here, the metric relationships can
provide for a partial-ordering of the sets, i.e., when you define an operation
"=" (i.e., larger or equal) which is reflexive, anti-symmetric and transitive
-- allowing one to quantitatively compare different truth conditions (i.e.,
sense) by ordering and comparing the values of their references, as both
are linked by trust.

[DS97] The objective here is not to apply
Dempster-Schafer Theory or the Dempster Rule, but, to point out that the
definition of
degree of belief is in general similar to the DS Theory. For a review
of concepts and difficulties with DS Theory, see
http://yoda.cis.temple.edu:8080/UGAIWWW/lectures95/uncertainty/dempster.html

[Wan93] Wang, P. " Belief Revision in Probability
Theory", in Technical Report No. 74 of CRCC. A revised version appears
in Proceedings of the Ninth Conference of Uncertainty in Artificial Intelligence
, 519-526. Eds. David Heckerman and Abe Mamdani. (San Mateo, CA: Morgan
Kaufmann), 1993. A PostScript file of the paper is available at http://www.cogsci.indiana.edu/farg/peiwang/papers.html

Summary:

The concept of trust dates back to history beginnings. It is recognized
by many to be cardinal to information security, security policies,
accountability, reliability, corporate management models, business
relationships, interpersonal relationships, etc. However
... what is trust? What are the conditions under which trust exists, its
truth conditions? What does it denote, what are its truth-values? Still
today, there are no satisfactory answers, no consensus and no well-defined
models. The paper shows first that the main problem is lack of
understanding of trust's truth conditions -- which does not allow trust's
truth-values to be well-defined, notwithstanding current efforts specially
in the area of Internet communication and certification, such as X.509
and PGP. The paper initially focuses on the subject of trust
in communication systems, beginning with Shannon's Information Theory
framework. A new abstract definition of trust is presented, for a
generic communication system, which is shown to lead to useful and
upward compatible meanings of trust when used in communication processes
as well as in social contexts, using several examples. The paper
shows that trust can afford an answer to the problem of measuring events
that are important, significant but which are unreachable -- as strongly
exemplified in the Internet, and which may have applications in other areas
of communication systems and science. From the discussion, trust
emerges as the mathematics of subjective certainty and precision -- a concept
to be further developed in the context of non-boolean logic over
a multivector space in Grassmann Algebra. The exposition emphasizes
Internet applications and exemplifies the developed trust theory with a
series of new results, also linked to cryptography and certification --
such as semantic addressing, TSK/P system with applications to intrinsic-
and meta-certification, names versus cryptographic-keys classes,
a quantitative model for the transition from separated 3D and cyber worlds
to an intermingled social-cyber-society, the strong role played by
Internet protocols as means of expression akin to languages -- that
may severely and even intentionally limit such expression, the fallacies
when considering biometrics as a self-secure certification method,
the use of trust to relink sense to reference and its application to certificates,
what is needed for a general solution to the global PKI problem,
etc.

WORK
DOCUMENT: This is a draft. This essay discusses a subject which summarizes
and references some of the points mentioned by myself in the mcg-talk and
in other fora, being also a result of discussions with several colleagues.This
is a discussion paper, not a final work -- but very up-to-date. It is based
on an initial e-mail reply, which the author has expanded with recent material
from his other papers, e-mail messages and exchanges, but the original
text or the additions were not significantly edited, so some of them still
retain their e-mail style ... or, lack of. The initial message is
available at
http://nma.com/mcg-mirror/trustdef.txt